Autodesk ID: ADSK-SA-2021-0012
Product, Service, Component: Autodesk Products & Services
Impact: Code Execution
Severity: Critical
Original Publish: 12/23/2021
Last Revised: 1/26/2022
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
Autodesk is aware of the Apache Log4j security vulnerabilities. We have protection and defense strategies in place to identify and remediate any impacted Autodesk products, services or systems as the need arises.
Our investigation identified one impacted product that requires customers to apply a patch: Autodesk InfraWorks Traffic Simulation. As of January 26, 2022, a hotfix update is available for this product – see the table below for more details. We strongly recommend customers apply the update. All other Autodesk products and services have either been mitigated or were not vulnerable.
The details of the vulnerabilities are as follows:
CVE-2021-44228: The JNDI features may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.
CVE-2021-45046: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations, which might lead to remote code execution.
CVE-2021-45105: It was found that the fix to address CVE-2021-45046 did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted.
CVE-2021-44832: The JDBC Appender may allow an individual who can control log messages or log message parameters to execute arbitrary code loaded from remote LDAP servers via network access.
For the table below:
“Mitigated” means that the product/service has been patched or the appropriate mitigation steps have been taken to minimize the risk to customers and their data.
“Not Vulnerable” means that the product/service does not use the vulnerable Apache log4j libraries.
Product: AutoCAD
Remediation Status: NOT VULNERABLE
Product: AutoCAD LT
Remediation Status: NOT VULNERABLE
Product: AutoCAD Architecture
Remediation Status: NOT VULNERABLE
Product: AutoCAD Electrical
Remediation Status: NOT VULNERABLE
Product: AutoCAD Mechanical
Remediation Status: NOT VULNERABLE
Product: AutoCAD Map3D
Remediation Status: NOT VULNERABLE
Product: AutoCAD MEP
Remediation Status: NOT VULNERABLE
Product: AutoCAD Mobile App
Remediation Status: Mitigated
Product: AutoCAD Web App
Remediation Status: NOT VULNERABLE
Product: AutoCAD Online Services
Remediation Status: Mitigated
Product: AutoCAD Plant 3D
Remediation Status: NOT VULNERABLE
Product: Autodesk Advance Steel
Remediation Status: NOT VULNERABLE
Product: 3ds MAX
Remediation Status: NOT VULNERABLE
Product: 3ds MAX Interactive
Remediation Status: NOT VULNERABLE
Product: 3ds MAX Design
Remediation Status: NOT VULNERABLE
Product: ACC Doc View
Remediation Status: NOT VULNERABLE
Product: ACC Insight
Remediation Status: NOT VULNERABLE
Product: Alias
Remediation Status: NOT VULNERABLE
Product: Autodesk App Store
Remediation Status: NOT VULNERABLE
Product: Arnold
Remediation Status: NOT VULNERABLE
Product: Assemble
Remediation Status: NOT VULNERABLE
Product: Autodesk Account Portal
Remediation Status: Mitigated
Product: Autodesk ADP
Remediation Status: NOT VULNERABLE
Product: Autodesk App Store
Remediation Status: NOT VULNERABLE
Product: Autodesk CFD
Remediation Status: NOT VULNERABLE
Product: Autodesk Docs
Remediation Status: Mitigated
Product: Autodesk Drive
Remediation Status: NOT VULNERABLE
Product: Autodesk Gallery
Remediation Status: NOT VULNERABLE
Product: Autodesk Rendering
Remediation Status: NOT VULNERABLE
Product: Autodesk Takeoff
Remediation Status: NOT VULNERABLE
Product: Autodesk Tandem
Remediation Status: NOT VULNERABLE
Product: Autodesk Viewer
Remediation Status: NOT VULNERABLE
Product: Autodesk Partner Web Services (PWS)
Remediation Status: NOT VULNERABLE
Product: AVA
Remediation Status: Mitigated
Product: BIM 360 Account Administration
Remediation Status: NOT VULNERABLE
Product: BIM 360 Build
Remediation Status: Mitigated
Product: BIM 360 Cost Management
Remediation Status: NOT VULNERABLE
Product: BIM 360 Collaborate
Remediation Status: NOT VULNERABLE
Product: BIM 360 Collaborate Pro
Remediation Status: NOT VULNERABLE
Product: BIM 360 Design Collaboration
Remediation Status: NOT VULNERABLE
Product: BIM 360 Docs
Remediation Status: Mitigated
Product: BIM 360 Mobile
Remediation Status: Mitigated
Product: BIM 360 Model Coordination
Remediation Status: NOT VULNERABLE
Product: BIM 360 Field
Remediation Status: NOT VULNERABLE
Product: BIM 360 Glue
Remediation Status: NOT VULNERABLE
Product: BIM 360 Insight
Remediation Status: NOT VULNERABLE
Product: BIM 360 IQ
Remediation Status: NOT VULNERABLE
Product: BIM 360 Ops
Remediation Status: NOT VULNERABLE
Product: BIM 360 Plan
Remediation Status: Mitigated
Product: BIM 360 Project Management
Remediation Status: NOT VULNERABLE
Product: BIM 360 Reports
Remediation Status: Mitigated
Product: BIM 360 Team Mobile
Remediation Status: Mitigated
Product: Build
Remediation Status: NOT VULNERABLE
Product: BuildingConnected
Remediation Status: NOT VULNERABLE
Product: BuildingConnected Pro
Remediation Status: NOT VULNERABLE
Product: CER v2 Services
Remediation Status: NOT VULNERABLE
Product: CAMplete
Remediation Status: NOT VULNERABLE
Product: Civil 3D
Remediation Status: NOT VULNERABLE
Product: Civil 3D Online Services
Remediation Status: NOT VULNERABLE
Product: Cloud Rendering
Remediation Status: NOT VULNERABLE
Product: Collaboration for AutoCAD Plant 3D
Remediation Status: NOT VULNERABLE
Product: Configurator 360
Remediation Status: NOT VULNERABLE
Product: Constructware
Remediation Status: NOT VULNERABLE
Product: Autodesk Design Review
Remediation Status: NOT VULNERABLE
Product: Autodesk Desktop App
Remediation Status: NOT VULNERABLE
Product: Autodesk Desktop Connector
Remediation Status: NOT VULNERABLE
Product: Dynamo Machine Learning
Remediation Status: NOT VULNERABLE
Product: Dynamo Package Manager
Remediation Status: NOT VULNERABLE
Product: Dynamo Studio
Remediation Status: NOT VULNERABLE
Product: DWG Trueview
Remediation Status: NOT VULNERABLE
Product: Eagle
Remediation Status: NOT VULNERABLE
Product: Fabrication
Remediation Status: NOT VULNERABLE
Product: Factory Design Utilities
Remediation Status: NOT VULNERABLE
Product: FBX
Remediation Status: NOT VULNERABLE
Product: FeatureCAM
Remediation Status: NOT VULNERABLE
Product: Flame
Remediation Status: NOT VULNERABLE
Product: Forge - Data Management API
Remediation Status: NOT VULNERABLE
Product: Forge – Design Automation API
Remediation Status: Mitigated
Product: Forge - Reality Capture API
Remediation Status: NOT VULNERABLE
Product: Forge - Mode Derivative API
Remediation Status: Mitigated
Product: Forge- Reality Capture API
Remediation Status: NOT VULNERABLE
Product: Forge - Token Flex API
Remediation Status: Mitigated
Product: Formit
Remediation Status: NOT VULNERABLE
Product: Fusion 360
Remediation Status: Mitigated
Product: Fusion 360 Desktop
Remediation Status: NOT VULNERABLE
Product: Fusion 360 Manage
Remediation Status: Mitigated
Product: Fusion 360 Mobile
Remediation Status: Mitigated
Product: Fusion Online
Remediation Status: NOT VULNERABLE
Product: Fusion Simulation
Remediation Status: NOT VULNERABLE
Product: Generative Design
Remediation Status: Mitigated
Product: Grading Optimization for Civil 3D
Remediation Status: NOT VULNERABLE
Product: HDS
Remediation Status: NOT VULNERABLE
Product: Healthhub
Remediation Status: NOT VULNERABLE
Product: Helius Composite
Remediation Status: NOT VULNERABLE
Product: Helius PFA
Remediation Status: NOT VULNERABLE
Product: HSMWorks
Remediation Status: NOT VULNERABLE
Product: Infrastructure Parts Editor
Remediation Status: NOT VULNERABLE
Product: InfraWorks
Remediation Status: NOT VULNERABLE
Product: InfraWorks Traffic Simulation desktop
Remediation Status:
Update Source: Autodesk Desktop App, or Accounts Portal
Product: InfraWorks Translation Service
Remediation Status: Mitigated
Product: Insight
Remediation Status: NOT VULNERABLE
Product: Instructables
Remediation Status: Mitigated
Product: Innovyze Licensing Manager
Remediation Status: NOT VULNERABLE
Product: InfoWater Pro
Remediation Status: NOT VULNERABLE
Product: InfoWorks ICM
Remediation Status: NOT VULNERABLE
Product: InfoWorks WS Pro
Remediation Status: NOT VULNERABLE
Product: InfoDrainage
Remediation Status: NOT VULNERABLE
Product: MicroDrainage
Remediation Status: NOT VULNERABLE
Product: InfoAsset Manager
Remediation Status: NOT VULNERABLE
Product: InfoAsset Mobile
Remediation Status: NOT VULNERABLE
Product: InfoAsset Online
Remediation Status: NOT VULNERABLE
Product: Inventor
Remediation Status: NOT VULNERABLE
Product: Inventor CAM
Remediation Status: NOT VULNERABLE
Product: Inventor ETO
Remediation Status: NOT VULNERABLE
Product: Inventor Nastran
Remediation Status: NOT VULNERABLE
Product: Inventor Nesting
Remediation Status: NOT VULNERABLE
Product: Materials 360
Remediation Status: NOT VULNERABLE
Product: Maya
Remediation Status: NOT VULNERABLE
Product: Maya LT
Remediation Status: NOT VULNERABLE
Product: Autodesk Meshmixer
Remediation Status: NOT VULNERABLE
Product: Moldflow
Remediation Status: NOT VULNERABLE
Product: MotionBuilder
Remediation Status: NOT VULNERABLE
Product: Mudbox
Remediation Status: NOT VULNERABLE
Product: NavisworksRemediation Status: NOT VULNERABLE
Product: Navisworks Simulate
Remediation Status: NOT VULNERABLE
Product: Network Licensing Manager (NLM)
Remediation Status: NOT VULNERABLE
Product: Network Licensing Reporting Manager (NLRM)
Remediation Status: NOT VULNERABLE
Product: Network Licensing Reporting Service (NLRS)
Remediation Status: NOT VULNERABLE
Product: Netfabb
Remediation Status: NOT VULNERABLE
Product: Plangrid
Remediation Status: NOT VULNERABLE
Product: Plant Collaboration Services (based on BIM 360 Team)
Remediation Status: NOT VULNERABLE
Product: Point Layout
Remediation Status: NOT VULNERABLE
Product: PowerInspect
Remediation Status: NOT VULNERABLE
Product: Powermill
Remediation Status: NOT VULNERABLE
Product: Powershape
Remediation Status: NOT VULNERABLE
Product: Project Explorer for Civil 3D
Remediation Status: NOT VULNERABLE
Product: Pype
Remediation Status: Mitigated
Product: ReCap Pro
Remediation Status: NOT VULNERABLE
Product: ReCap Services
Remediation Status: NOT VULNERABLE
Product: Revit
Remediation Status: NOT VULNERABLE
Product: Revit LT
Remediation Status: NOT VULNERABLE
Product: Revit Cloud Model Upgrade
Remediation Status: NOT VULNERABLE
Product: Revit Cloud Worksharing / Cloud Models
Remediation Status: NOT VULNERABLE
Product: Robot Structural Analysis
Remediation Status: NOT VULNERABLE
Product: Shotgrid
Remediation Status: NOT VULNERABLE
Product: Smoke
Remediation Status: NOT VULNERABLE
Product: Spacemaker
Remediation Status: NOT VULNERABLE
Product: Structural Bridge Design
Remediation Status: NOT VULNERABLE
Product: Tinkercad
Remediation Status: NOT VULNERABLE
Product: Tradetapp
Remediation Status: NOT VULNERABLE
Product: Trucomposites
Remediation Status: NOT VULNERABLE
Product: Upchain
Remediation Status: Mitigated
Product: Vault
Remediation Status: NOT VULNERABLE
Product: Vehicle Tracking
Remediation Status: NOT VULNERABLE
Product: VRED
Remediation Status: NOT VULNERABLE
Product: Within Medical
Remediation Status: NOT VUNERABLE
*Note: Product list table contents subject to change.
Autodesk highly recommends that customers of the affected products obtain and apply the latest Hotfixes for Infraworks Traffic Simulation via Autodesk Desktop App or the Accounts Portal. Customers who are using impacted product versions should then reinstall the software to apply the latest Hotfixes.
Customers using previous versions that no longer qualify for full support should plan to upgrade to a supported version as soon as possible to avoid downtime and potential security vulnerabilities. Visit the Autodesk Knowledge Network for more information about previous version support.
Protecting our customers’ data is our top priority. Learn more about our security and data privacy practices on the Autodesk Trust Center.
Revision: 1.0
Date: 12/23/2021
Description: Initial Release of the security advisory
Revision: 1.1
Date: 1/21/2022
Description: Update Description, and Affected Product Table
Revision: 1.2
Date: 1/26/2022
Description: Update Description, and Affected Product Table for Infraworks Traffic Simulation
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
