Solution

Xilinx Product Security Statement: CVE-2021-44228 Apache Log4j Vulnerability in Xilinx Products
Release Date
2022-04-05

As described in CVE-2021-44228 a remote attacker who can control log messages or log message parameters can execute arbitrary code on the server via the JNDI LDAP endpoint.  This issue only affects log4j versions between 2.0 and 2.14.1.  Applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI.

Xilinx ToolVersionStatus

Vitis

SDx

SDK

HLS
EDK

All Versions

Vitis/SDx/SDK/HLS/EDK tools are not affected by the vulnerability CVE-2021-44228:

  • Vitis/SDx/SDK/HLS do not support remote access so a user cannot connect to Vitis/SDx/SDK from a remote machine
  • Vitis/SDx/SDK/HLS is shipped with log4j version 1.x but does not use JNDI configuration
  • EDK is shipped with log4j 1.x wrapper files but does not contain any files that are at risk from this vulnerability
Vivado2019.2 - 2021.2

Vivado tool versions 2019.2 - 2021.2 are at very low risk of exploit:

  • Vivado uses log4j as part of the Sigasi syntax checker version 1.2 which, according to Sigasi, is not affected by JNDI vulnerabilities
  • Any risk of exploit can be eliminated by setting the default syntax checker to "Vivado" (ensuring the default is not set to "Sigasi")
Vivado2019.1 and earlier

Vivado tool versions 2019.1 and earlier are not affected by the vulnerability described in CVE-2021-44228:

  • Vivado is shipped with log4j version 1.x but it is used only for HLS which is not affected (see above for HLS status)

ISE

ISE for SIRF Devices

14.7

13.2

ISE tools are not affected by the vulnerability described in CVE-2021-44228

  • ISE is shipped with log4j version 1.x but it is used only for EDK which is not affected (see above for EDK status)

Vivado and Vitis tools currently ship with an older version of log4j.  While there is very little risk of exploit, out of an abundance of caution a patch for supported (recent) versions of Vivado and Vitis is available to update log4j.

 
Patch Version 2.5
Description:
  • This patch will work for Vivado and Vitis tools versions 2020.2 through 2021.2
  • This patch contains a script which will update the log4j version to 2.17.0

Instructions:

        1. Download the "Patch-Log4j-2.5.zip " file
Download Verification Files:  Digests  |  Signature  |  Public Key
        2. Unarchive file into installation root location
      default Windows installation location C:\Xilinx
      default Linux installation location: /opt/Xilinx or /tools/Xilinx
Note: While extracting this patch on Windows, make sure the destination folder does not contain the zip file name (Patch-Log4j-2.5). EX: If the installation root is C:\Xilinx make sure after the extraction log4j_patch folder is under C:\Xilinx, i.e : C:\Xilinx\log4j_patch
        3. Open README for patch installation instructions

Notes:

  • Make sure all Xilinx tools including Xilinx Information Center (XiC) processes have been stopped before applying this patch.
  • To confirm the patch has been installed correctly, look for the message "AR76957 patch has been successfully applied" in the stdout.
  • If Vivado or Vitis tools are updated after patching, the patch will need to be reapplied
  • For Vitis tools after installing the patch, it is mandatory to launch the tool using the command "vitis -eclipseargs -clean" during first time invocation.
​​​​​Known Issues:
  • Vitis:
The following errors can be ignored:
  •   std err: SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
  •   std err: SLF4J: Defaulting to no-operation (NOP) logger implementation
  •   std err: SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
  • Installer
1. After the patch has been installed, the batch mode uninstaller will no longer work (generates the following error message).  As a workaround, to uninstall Vivado, use the UI uninstaller instead.
Exception in thread "main" java.lang.NullPointerException at com.xilinx.installer.cli.g.b(Unknown Source) at com.xilinx.installer.cli.g.a(Unknown Source) at com.xilinx.installer.cli.g.a(Unknown Source) at com.xilinx.installer.api.InstallerLauncher.main(Unknown Source)

2. On Windows, Upgrader and Uninstaller will not work from windows shortcuts. You must start Upgrader or Uninstaller from a command prompt (as Administrator)
To start Upgrader or Uninstaller open a command prompts as Administrator,
  1 - Change the directory to the root of installation, EX: cd C:\Xilinx\.xinstall\
  2 - Change the directory to the desired tool, EX: cd Vivado_Lab_2021 
  3a - To Uninstall run: bin\xsetup.bat -Uninstall
  3b - To Upgrade run: bin\xsetup.bat

3. On both Windows and Linux, Upgrader and Uninstaller UI will not exit after the process is done, you have to kill the process manually. You might see the following in the console.  These errors or warnings can be safely ignored.
Exception in thread "Thread-3" java.lang.NoClassDefFoundError: org/apache/log4j/FileAppender at com.xilinx.installer.utils.j.d(Unknown Source) at n.k.run(Unknown Source)
  • Xilinx Information Center (XiC)
      Xilinx information center will not work after applying this patch. This will be fixed in a future version of Vivado.

Xilinx strongly recommends that customers use the latest release available. 

For customers using older tools, we believe the risk associated with the vulnerability described in CVE-2021-44228 to be very low.