Intel® Quartus® Prime Software
Intel® Quartus® Prime Design Software, Design Entry, Synthesis, Simulation, Verification, Timing Analysis, System Design (Platform Designer, formerly Qsys)

Log4j Security Inquiry

jamesd1
Novice
750 Views

Hi, I'm looking to inquire about any susceptibilities regarding the log4j vulnerability.

 

I've found .jar files under the intelFPGA directory relating to log4j (relating to Eclipse). Could you confirm that this (or any other element relating to Quartus Prime) is not a risk to our systems?

 

Thanks in advance,
James

 

 

0 Kudos
6 Replies
ShengN_Intel
Employee
640 Views

Hi jamesd1,

 

There is a previous case about log4j security found in software developer forum. 

https://community.intel.com/t5/Intel-Fortran-Compiler/log4j-security-problem/m-p/1343688 

Probably can answer your question.

 

If not you can open a new thread in software developer forum. Your question may get better confirmation there.


Best regards,
Sheng

p/s: If any answer from the community or Intel support are helpful, please feel free to give Kudos.

ShengN_Intel
Employee
586 Views

Hi jamesd1,

 

Here is an update from internal regarding log4j.

 

SMG released this  internal document regarding Log4Shell. There is a list of unaffected products. Please check here  for more information.

Thank you.

 

Best regards,
Sheng

p/s: If any answer from the community or Intel support are helpful, please feel free to give Kudos.

jamesd1
Novice
358 Views

Hi Sheng,

 

Thank you for your reply and apologies for the delayed response over the holidays.

 

I can't seem to be able to access the links posted in your most recent message. I'm getting the following error message (with email addresses, etc redacted for the sake of public posting):


Message: AADSTS90072: User account [REDACTED] from identity provider [REDACTED] does not exist in tenant 'Intel Corporation' and cannot access the application '00000003-0000-0ff1-ce00-000000000000'(Office 365 SharePoint Online) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account

 

I've attempted to use alternative browsers, computers and accounts to access this link, but with no luck.

 

Is the link broken and might there be an alternative link I could use?

 

Kind regards,

James

ShengN_Intel
Employee
351 Views

Hi jamesd1,

 

If you can't access the links posted in previous post, may be you can go to the latest link stated below.

For the latest information on Intel’s response to the Log4j/Log4Shell vulnerability, please see Intel-SA-00646

 

Best regards,
Sheng

p/s: If any answer from the community or Intel support are helpful, please feel free to give Kudos.

jamesd1
Novice
344 Views

Hi Sheng,

 

Thanks for that link. Quartus Prime isn't mentioned anywhere on that page though.

 

The main thing that would concern me is that I've found .jar files under the intelFPGA directory relating to log4j (used for the Eclipse plugin). Is it possible that this hasn't been noticed and addressed yet? And could it also be used elsewhere in the program?

 

I'm using version 18.1, but the release notes for more recent versions don't mention log4j, so I'd assume from this that it hasn't been patched. Would this present a security vulnerability on our systems?

 

Kind regards,

James

ShengN_Intel
Employee
335 Views

Hi jamesd1,

 

If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key .

Please provide as much information as possible, including:

The products and versions affected
Detailed description of the vulnerability
Information on known exploits

 

You can try the email stated above. May be can get better confirmation there.

Hope it helps.

Best regards,
Sheng

p/s: If any answer from the community or Intel support are helpful, please feel free to give Kudos.

Reply