All Advisories / BE-2022-0001

BE-2022-0001

BE-2022-0001: Use of Log4j in RenderFarm component for SYNCHRO 4D Pro and SYNCHRO Pro

Bentley ID: BE-2022-0001
CVE ID: CVE-2021-44228
Severity: 10
CVSS v3.1: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Publication date: 2022-02-17
Revision date: 2022-02-17

Summary
The RenderFarm component of SYNCHRO 4D Pro and SYNCHRO Pro includes a Log4j version susceptible to the Log4Shell vulnerability.

Details
If you are using the RenderFarm component of SYNCHRO 4D Pro and SYNCHRO Pro and run distributed rendering over the network, you might be at risk of the Log4Shell vulnerability described in CVE-2021-44228 if a malicious attacker can access your render farm and send malicious payloads to it. 

Affected Versions

Applications Affected Versions Mitigated Versions
SYNCHRO 4D Pro Versions prior to 6.4.3.2 6.4.3.2 and more recent
SYNCHRO Pro Versions from 6.1 to 6.2.3 and 6.3 6.2.4.2

 

Recommended Mitigations
Only very few of our users are using the RenderFarm component. If you aren’t using it, you aren’t at risk. You can follow the instructions here to safely remove the Log4j jar file if desired, without affecting SYNCHRO 4D Pro and SYNCHRO Pro functionalities: https://communities.bentley.com/products/construction/w/construction__wiki/57908/ . Bentley recommends updating to the latest versions of SYNCHRO 4D Pro since the new version does not include this component anymore and SYNCHRO 4D Pro is the replacement product of SYNCHRO Pro.

Acknowledgement

Revision History

Date Description
2022-02-17 First version of this advisory

20% Off Bentley Software

Deal Ends Friday

Use Coupon Code "THANKS24"

Celebrate Infrastructure Delivery & Performance Excellence

The 2024 Year in Infrastructure
and Going Digital Awards

Nominate a project for the most prestigious awards in infrastructure! Extended deadline to enter is April 29th.