Autodesk ID: ADSK-SA-2021-0012
Product, Service, Component: Autodesk Products & Services
Impact: Code Execution
Severity: Critical
Original Publish: 12/23/2021
Last Revised: 1/26/2022
AUTODESK TRUST CENTER
Advisories are used to communicate information related to vulnerabilities identified with Autodesk® products and services. This includes any fixes or workarounds that are applicable to the affected product.
Autodesk ID: ADSK-SA-2021-0012
Product, Service, Component: Autodesk Products & Services
Impact: Code Execution
Severity: Critical
Original Publish: 12/23/2021
Last Revised: 1/26/2022
Severity |
CVSS 3.0 Score |
Impact |
---|---|---|
Low |
0.1 - 3.9 |
A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
Medium |
4.0 - 6.9 |
A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
High |
7.0 - 8.9 |
A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user’s data or processing resources. |
Critical |
9.0 - 10 |
A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
Autodesk is aware of the Apache Log4j security vulnerabilities. We have protection and defense strategies in place to identify and remediate any impacted Autodesk products, services or systems as the need arises.
Our investigation identified one impacted product that requires customers to apply a patch: Autodesk InfraWorks Traffic Simulation. As of January 26, 2022, a hotfix update is available for this product – see the table below for more details. We strongly recommend customers apply the update. All other Autodesk products and services have either been mitigated or were not vulnerable.
The details of the vulnerabilities are as follows:
1) CVE-2021-44228: The JNDI features may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.
2) CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, which might lead to remote code execution.
3) CVE-2021-45105: It was found that the fix to address CVE-2021-45046 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
4) CVE-2021-44832: The JDBC Appender may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.
For the table below:
Product |
Remediation Status |
---|---|
AutoCAD |
NOT VULNERABLE |
AutoCAD LT |
NOT VULNERABLE |
AutoCAD Architecture |
NOT VULNERABLE |
AutoCAD Electrical |
NOT VULNERABLE |
AutoCAD Mechanical |
NOT VULNERABLE |
AutoCAD Map3D |
NOT VULNERABLE |
AutoCAD MEP |
NOT VULNERABLE |
AutoCAD Mobile App |
Mitigated |
AutoCAD Web App |
NOT VULNERABLE |
AutoCAD Online Services |
Mitigated |
AutoCAD Plant 3D |
NOT VULNERABLE |
Autodesk Advance Steel |
NOT VULNERABLE |
3ds MAX |
NOT VULNERABLE |
3ds MAX Interactive |
NOT VULNERABLE |
3ds MAX Design |
NOT VULNERABLE |
ACC Doc View |
NOT VULNERABLE |
ACC Insight |
NOT VULNERABLE |
Alias |
NOT VULNERABLE |
Autodesk App Store |
NOT VULNERABLE |
Arnold |
NOT VULNERABLE |
Assemble |
NOT VULNERABLE |
Autodesk Account Portal |
Mitigated |
Autodesk ADP |
NOT VULNERABLE |
Autodesk App Store |
NOT VULNERABLE |
Autodesk CFD |
NOT VULNERABLE |
Autodesk Docs |
Mitigated |
Autodesk Drive |
NOT VULNERABLE |
Autodesk Gallery |
NOT VULNERABLE |
Autodesk Rendering |
NOT VULNERABLE |
Autodesk Takeoff |
NOT VULNERABLE |
Autodesk Tandem |
NOT VULNERABLE |
Autodesk Viewer |
NOT VULNERABLE |
Autodesk Partner Web Services (PWS) |
NOT VULNERABLE |
AVA |
Mitigated |
BIM 360 Account Administration |
NOT VULNERABLE |
BIM 360 Build |
Mitigated |
BIM 360 Cost Management |
NOT VULNERABLE |
BIM 360 Collaborate |
NOT VULNERABLE |
BIM 360 Collaborate Pro |
NOT VULNERABLE |
BIM 360 Design Collaboration |
NOT VULNERABLE |
BIM 360 Docs |
Mitigated |
BIM 360 Mobile |
Mitigated |
BIM 360 Model Coordination |
NOT VULNERABLE |
BIM 360 Field |
NOT VULNERABLE |
BIM 360 Glue |
NOT VULNERABLE |
BIM 360 Insight |
NOT VULNERABLE |
BIM 360 IQ |
NOT VULNERABLE |
BIM 360 Ops |
NOT VULNERABLE |
BIM 360 Plan |
Mitigated |
BIM 360 Project Management |
NOT VULNERABLE |
BIM 360 Reports |
Mitigated |
BIM 360 Team Mobile |
Mitigated |
Build |
NOT VULNERABLE |
BuildingConnected |
NOT VULNERABLE |
BuildingConnected Pro |
NOT VULNERABLE |
CER v2 Services |
NOT VULNERABLE |
CAMplete |
NOT VULNERABLE |
Civil 3D |
NOT VULNERABLE |
Civil 3D Online Services |
NOT VULNERABLE |
Cloud Rendering |
NOT VULNERABLE |
Collaboration for AutoCAD Plant 3D |
NOT VULNERABLE |
Configurator 360 |
NOT VULNERABLE |
Constructware |
NOT VULNERABLE |
Autodesk Design Review |
NOT VULNERABLE |
Autodesk Desktop App |
NOT VULNERABLE |
Autodesk Desktop Connector |
NOT VULNERABLE |
Dynamo Machine Learning |
NOT VULNERABLE |
Dynamo Package Manager |
NOT VULNERABLE |
Dynamo Studio |
NOT VULNERABLE |
DWG Trueview |
NOT VULNERABLE |
Eagle |
NOT VULNERABLE |
Fabrication |
NOT VULNERABLE |
Factory Design Utilities |
NOT VULNERABLE |
FBX |
NOT VULNERABLE |
FeatureCAM |
NOT VULNERABLE |
Flame |
NOT VULNERABLE |
Forge - Data Management API |
NOT VULNERABLE |
Forge – Design Automation API |
Mitigated |
Forge - Reality Capture API |
NOT VULNERABLE |
Forge - Mode Derivative API |
Mitigated |
Forge- Reality Capture API |
NOT VULNERABLE |
Forge - Token Flex API |
Mitigated |
Formit |
NOT VULNERABLE |
Fusion 360 |
Mitigated |
Fusion 360 Desktop |
NOT VULNERABLE |
Fusion 360 Manage |
Mitigated |
Fusion 360 Mobile |
Mitigated |
Fusion Online |
NOT VULNERABLE |
Fusion Simulation |
NOT VULNERABLE |
Generative Design |
Mitigated |
Grading Optimization for Civil 3D |
NOT VULNERABLE |
HDS |
NOT VULNERABLE |
Healthhub |
NOT VULNERABLE |
Helius Composite |
NOT VULNERABLE |
Helius PFA |
NOT VULNERABLE |
HSMWorks |
NOT VULNERABLE |
Infrastructure Parts Editor |
NOT VULNERABLE |
InfraWorks |
NOT VULNERABLE |
InfraWorks Traffic Simulation desktop |
2022.1 Hotfix 3, Update Source: Autodesk Desktop App, or Accounts Portal |
InfraWorks Translation Service |
Mitigated |
Insight |
NOT VULNERABLE |
Instructables |
Mitigated |
Innovyze Licensing Manager |
NOT VULNERABLE |
InfoWater Pro |
NOT VULNERABLE |
InfoWorks ICM |
NOT VULNERABLE |
InfoWorks WS Pro |
NOT VULNERABLE |
InfoDrainage |
NOT VULNERABLE |
MicroDrainage |
NOT VULNERABLE |
InfoAsset Manager |
NOT VULNERABLE |
InfoAsset Mobile |
NOT VULNERABLE |
InfoAsset Online |
NOT VULNERABLE |
Inventor |
NOT VULNERABLE |
Inventor CAM |
NOT VULNERABLE |
Inventor ETO |
NOT VULNERABLE |
Inventor Nastran |
NOT VULNERABLE |
Inventor Nesting |
NOT VULNERABLE |
Materials 360 |
NOT VULNERABLE |
Maya |
NOT VULNERABLE |
Maya LT |
NOT VULNERABLE |
Autodesk Meshmixer |
NOT VULNERABLE |
Moldflow |
NOT VULNERABLE |
MotionBuilder |
NOT VULNERABLE |
Mudbox |
NOT VULNERABLE |
Navisworks |
NOT VULNERABLE |
Navisworks Simulate |
NOT VULNERABLE |
Network Licensing Manager (NLM) |
NOT VULNERABLE |
Network Licensing Reporting Manager (NLRM) |
NOT VULNERABLE |
Network Licensing Reporting Service (NLRS) |
NOT VULNERABLE |
Netfabb |
NOT VULNERABLE |
Plangrid |
NOT VULNERABLE |
Plant Collaboration Services (based on BIM 360 Team) |
NOT VULNERABLE |
Point Layout |
NOT VULNERABLE |
PowerInspect |
NOT VULNERABLE |
Powermill |
NOT VULNERABLE |
Powershape |
NOT VULNERABLE |
Project Explorer for Civil 3D |
NOT VULNERABLE |
Pype |
Mitigated |
ReCap Pro |
NOT VULNERABLE |
ReCap Services |
NOT VULNERABLE |
Revit |
NOT VULNERABLE |
Revit LT |
NOT VULNERABLE |
Revit Cloud Model Upgrade |
NOT VULNERABLE |
Revit Cloud Worksharing / Cloud Models |
NOT VULNERABLE |
Robot Structural Analysis |
NOT VULNERABLE |
Shotgrid |
NOT VULNERABLE |
Smoke |
NOT VULNERABLE |
Spacemaker |
NOT VULNERABLE |
Structural Bridge Design |
NOT VULNERABLE |
Tinkercad |
NOT VULNERABLE |
Tradetapp |
NOT VULNERABLE |
Trucomposites |
NOT VULNERABLE |
Upchain |
Mitigated |
Vault |
NOT VULNERABLE |
Vehicle Tracking |
NOT VULNERABLE |
VRED |
NOT VULNERABLE |
Within Medical |
NOT VUNERABLE |
*Note: Product list table contents subject to change.
Autodesk highly recommends that customers of the affected products obtain and apply the latest Hotfixes for Infraworks Traffic Simulation via Autodesk Desktop App or the Accounts Portal. Customers who are using impacted product versions should then reinstall the software to apply the latest Hotfixes.
Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.
Protecting our customers’ data is our top priority. Learn more about our security and data privacy practices on the Autodesk Trust Center.
Revision |
Date |
Description |
---|---|---|
1.0 |
12/23/2021 |
Initial Release of the security advisory |
1.1 |
1/21/2022 |
Update Description, and Affected Product Table |
1.2 |
1/26/2022 |
Update Description, and Affected Product Table for Infraworks Traffic Simulation |
Disclaimer
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
© 2022, Autodesk, Inc.