Security Advisories | Autodesk Trust Center

Apache Log4j Vulnerabilities: Impact on Autodesk Products

Autodesk ID: ADSK-SA-2021-0012
Product, Service, Component: Autodesk Products & Services
Impact: Code Execution
Severity: Critical
Original Publish: 12/23/2021
Last Revised: 1/26/2022

Severity	CVSS 3.0 Score	Impact
Low	0.1 - 3.9	A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult.
Medium	4.0 - 6.9	A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification.
High	7.0 - 8.9	A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user’s data or processing resources.
Critical	9.0 - 10	A vulnerability, which if exploited, would allow remote execution of malicious code without user action.

Summary

Autodesk is aware of the Apache Log4j security vulnerabilities. We have protection and defense strategies in place to identify and remediate any impacted Autodesk products, services or systems as the need arises.

Our investigation identified one impacted product that requires customers to apply a patch: Autodesk InfraWorks Traffic Simulation. As of January 26, 2022, a hotfix update is available for this product – see the table below for more details. We strongly recommend customers apply the update. All other Autodesk products and services have either been mitigated or were not vulnerable.

Description

The details of the vulnerabilities are as follows:

1) CVE-2021-44228: The JNDI features may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.

2) CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, which might lead to remote code execution.

3) CVE-2021-45105: It was found that the fix to address CVE-2021-45046 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.

4) CVE-2021-44832: The JDBC Appender may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.

For the table below:

“Mitigated” means that the product/service has been patched or the appropriate mitigation steps have been taken to minimize the risk to customers and their data.
“Not Vulnerable” means that the product/service does not use the vulnerable Apache log4j libraries.

Autodesk Products and Services Status:

Product	Remediation Status
AutoCAD	NOT VULNERABLE
AutoCAD LT	NOT VULNERABLE
AutoCAD Architecture	NOT VULNERABLE
AutoCAD Electrical	NOT VULNERABLE
AutoCAD Mechanical	NOT VULNERABLE
AutoCAD Map3D	NOT VULNERABLE
AutoCAD MEP	NOT VULNERABLE
AutoCAD Mobile App	Mitigated
AutoCAD Web App	NOT VULNERABLE
AutoCAD Online Services	Mitigated
AutoCAD Plant 3D	NOT VULNERABLE
Autodesk Advance Steel	NOT VULNERABLE
3ds MAX	NOT VULNERABLE
3ds MAX Interactive	NOT VULNERABLE
3ds MAX Design	NOT VULNERABLE
ACC Doc View	NOT VULNERABLE
ACC Insight	NOT VULNERABLE
Alias	NOT VULNERABLE
Autodesk App Store	NOT VULNERABLE
Arnold	NOT VULNERABLE
Assemble	NOT VULNERABLE
Autodesk Account Portal	Mitigated
Autodesk ADP	NOT VULNERABLE
Autodesk App Store	NOT VULNERABLE
Autodesk CFD	NOT VULNERABLE
Autodesk Docs	Mitigated
Autodesk Drive	NOT VULNERABLE
Autodesk Gallery	NOT VULNERABLE
Autodesk Rendering	NOT VULNERABLE
Autodesk Takeoff	NOT VULNERABLE
Autodesk Tandem	NOT VULNERABLE
Autodesk Viewer	NOT VULNERABLE
Autodesk Partner Web Services (PWS)	NOT VULNERABLE
AVA	Mitigated
BIM 360 Account Administration	NOT VULNERABLE
BIM 360 Build	Mitigated
BIM 360 Cost Management	NOT VULNERABLE
BIM 360 Collaborate	NOT VULNERABLE
BIM 360 Collaborate Pro	NOT VULNERABLE
BIM 360 Design Collaboration	NOT VULNERABLE
BIM 360 Docs	Mitigated
BIM 360 Mobile	Mitigated
BIM 360 Model Coordination	NOT VULNERABLE
BIM 360 Field	NOT VULNERABLE
BIM 360 Glue	NOT VULNERABLE
BIM 360 Insight	NOT VULNERABLE
BIM 360 IQ	NOT VULNERABLE
BIM 360 Ops	NOT VULNERABLE
BIM 360 Plan	Mitigated
BIM 360 Project Management	NOT VULNERABLE
BIM 360 Reports	Mitigated
BIM 360 Team Mobile	Mitigated
Build	NOT VULNERABLE
BuildingConnected	NOT VULNERABLE
BuildingConnected Pro	NOT VULNERABLE
CER v2 Services	NOT VULNERABLE
CAMplete	NOT VULNERABLE
Civil 3D	NOT VULNERABLE
Civil 3D Online Services	NOT VULNERABLE
Cloud Rendering	NOT VULNERABLE
Collaboration for AutoCAD Plant 3D	NOT VULNERABLE
Configurator 360	NOT VULNERABLE
Constructware	NOT VULNERABLE
Autodesk Design Review	NOT VULNERABLE
Autodesk Desktop App	NOT VULNERABLE
Autodesk Desktop Connector	NOT VULNERABLE
Dynamo Machine Learning	NOT VULNERABLE
Dynamo Package Manager	NOT VULNERABLE
Dynamo Studio	NOT VULNERABLE
DWG Trueview	NOT VULNERABLE
Eagle	NOT VULNERABLE
Fabrication	NOT VULNERABLE
Factory Design Utilities	NOT VULNERABLE
FBX	NOT VULNERABLE
FeatureCAM	NOT VULNERABLE
Flame	NOT VULNERABLE
Forge - Data Management API	NOT VULNERABLE
Forge – Design Automation API	Mitigated
Forge - Reality Capture API	NOT VULNERABLE
Forge - Mode Derivative API	Mitigated
Forge- Reality Capture API	NOT VULNERABLE
Forge - Token Flex API	Mitigated
Formit	NOT VULNERABLE
Fusion 360	Mitigated
Fusion 360 Desktop	NOT VULNERABLE
Fusion 360 Manage	Mitigated
Fusion 360 Mobile	Mitigated
Fusion Online	NOT VULNERABLE
Fusion Simulation	NOT VULNERABLE
Generative Design	Mitigated
Grading Optimization for Civil 3D	NOT VULNERABLE
HDS	NOT VULNERABLE
Healthhub	NOT VULNERABLE
Helius Composite	NOT VULNERABLE
Helius PFA	NOT VULNERABLE
HSMWorks	NOT VULNERABLE
Infrastructure Parts Editor	NOT VULNERABLE
InfraWorks	NOT VULNERABLE
InfraWorks Traffic Simulation desktop	2022.1 Hotfix 3, 2022.0 Hotfix 4, 2021.2 Hotfix 5, 2020.2 Hotfix 5, 2019.3 Hotfix 6 Update Source: Autodesk Desktop App, or Accounts Portal
InfraWorks Translation Service	Mitigated
Insight	NOT VULNERABLE
Instructables	Mitigated
Innovyze Licensing Manager	NOT VULNERABLE
InfoWater Pro	NOT VULNERABLE
InfoWorks ICM	NOT VULNERABLE
InfoWorks WS Pro	NOT VULNERABLE
InfoDrainage	NOT VULNERABLE
MicroDrainage	NOT VULNERABLE
InfoAsset Manager	NOT VULNERABLE
InfoAsset Mobile	NOT VULNERABLE
InfoAsset Online	NOT VULNERABLE
Inventor	NOT VULNERABLE
Inventor CAM	NOT VULNERABLE
Inventor ETO	NOT VULNERABLE
Inventor Nastran	NOT VULNERABLE
Inventor Nesting	NOT VULNERABLE
Materials 360	NOT VULNERABLE
Maya	NOT VULNERABLE
Maya LT	NOT VULNERABLE
Autodesk Meshmixer	NOT VULNERABLE
Moldflow	NOT VULNERABLE
MotionBuilder	NOT VULNERABLE
Mudbox	NOT VULNERABLE
Navisworks	NOT VULNERABLE
Navisworks Simulate	NOT VULNERABLE
Network Licensing Manager (NLM)	NOT VULNERABLE
Network Licensing Reporting Manager (NLRM)	NOT VULNERABLE
Network Licensing Reporting Service (NLRS)	NOT VULNERABLE
Netfabb	NOT VULNERABLE
Plangrid	NOT VULNERABLE
Plant Collaboration Services (based on BIM 360 Team)	NOT VULNERABLE
Point Layout	NOT VULNERABLE
PowerInspect	NOT VULNERABLE
Powermill	NOT VULNERABLE
Powershape	NOT VULNERABLE
Project Explorer for Civil 3D	NOT VULNERABLE
Pype	Mitigated
ReCap Pro	NOT VULNERABLE
ReCap Services	NOT VULNERABLE
Revit	NOT VULNERABLE
Revit LT	NOT VULNERABLE
Revit Cloud Model Upgrade	NOT VULNERABLE
Revit Cloud Worksharing / Cloud Models	NOT VULNERABLE
Robot Structural Analysis	NOT VULNERABLE
Shotgrid	NOT VULNERABLE
Smoke	NOT VULNERABLE
Spacemaker	NOT VULNERABLE
Structural Bridge Design	NOT VULNERABLE
Tinkercad	NOT VULNERABLE
Tradetapp	NOT VULNERABLE
Trucomposites	NOT VULNERABLE
Upchain	Mitigated
Vault	NOT VULNERABLE
Vehicle Tracking	NOT VULNERABLE
VRED	NOT VULNERABLE
Within Medical	NOT VUNERABLE

*Note: Product list table contents subject to change.

Recommendations

Autodesk highly recommends that customers of the affected products obtain and apply the latest Hotfixes for Infraworks Traffic Simulation via Autodesk Desktop App or the Accounts Portal. Customers who are using impacted product versions should then reinstall the software to apply the latest Hotfixes.

Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.

Protecting our customers’ data is our top priority. Learn more about our security and data privacy practices on the Autodesk Trust Center.

Revision History

Revision	Date	Description
1.0	12/23/2021	Initial Release of the security advisory
1.1	1/21/2022	Update Description, and Affected Product Table
1.2	1/26/2022	Update Description, and Affected Product Table for Infraworks Traffic Simulation

Disclaimer

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK® PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.