As described in CVE-2021-44228 a remote attacker who can control log messages or log message parameters can execute arbitrary code on the server via the JNDI LDAP endpoint. This issue only affects log4j versions between 2.0 and 2.14.1. Applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI.
Vitis/SDx/SDK/HLS/EDK tools are not affected by the vulnerability CVE-2021-44228:
|Vivado||2019.2 - 2021.2||
Vivado tool versions 2019.2 - 2021.2 are at very low risk of exploit:
|Vivado||2019.1 and earlier||
Vivado tool versions 2019.1 and earlier are not affected by the vulnerability described in CVE-2021-44228:
ISE for SIRF Devices
ISE tools are not affected by the vulnerability described in CVE-2021-44228
Vivado and Vitis tools currently ship with an older version of log4j. While there is very little risk of exploit, out of an abundance of caution a patch for supported (recent) versions of Vivado and Vitis is available to update log4j.
|Patch Version 2.5|
Instructions:1. Download the "Patch-Log4j-2.5.zip " file
2. Unarchive file into installation root location
default Windows installation location C:\Xilinx
default Linux installation location: /opt/Xilinx or /tools/Xilinx
Note: While extracting this patch on Windows, make sure the destination folder does not contain the zip file name (Patch-Log4j-2.5). EX: If the installation root is C:\Xilinx make sure after the extraction log4j_patch folder is under C:\Xilinx, i.e : C:\Xilinx\log4j_patch3. Open README for patch installation instructions
The following errors can be ignored:
1. After the patch has been installed, the batch mode uninstaller will no longer work (generates the following error message). As a workaround, to uninstall Vivado, use the UI uninstaller instead.
Exception in thread "main" java.lang.NullPointerException at com.xilinx.installer.cli.g.b(Unknown Source) at com.xilinx.installer.cli.g.a(Unknown Source) at com.xilinx.installer.cli.g.a(Unknown Source) at com.xilinx.installer.api.InstallerLauncher.main(Unknown Source)
2. On Windows, Upgrader and Uninstaller will not work from windows shortcuts. You must start Upgrader or Uninstaller from a command prompt (as Administrator)
To start Upgrader or Uninstaller open a command prompts as Administrator,
1 - Change the directory to the root of installation, EX: cd C:\Xilinx\.xinstall\
2 - Change the directory to the desired tool, EX: cd Vivado_Lab_2021
3a - To Uninstall run: bin\xsetup.bat -Uninstall
3b - To Upgrade run: bin\xsetup.bat
3. On both Windows and Linux, Upgrader and Uninstaller UI will not exit after the process is done, you have to kill the process manually. You might see the following in the console. These errors or warnings can be safely ignored.
Exception in thread "Thread-3" java.lang.NoClassDefFoundError: org/apache/log4j/FileAppender at com.xilinx.installer.utils.j.d(Unknown Source) at n.k.run(Unknown Source)
Xilinx strongly recommends that customers use the latest release available.
For customers using older tools, we believe the risk associated with the vulnerability described in CVE-2021-44228 to be very low.