We use cookies to provide you with the best possible user experience. If you continue to use the site without changing your cookie settings, we assume you are fine with our cookies and the way we use them. The cookies store information about how you use our website, and help you use some of the functions on the site. Our cookies do not store any sensitive information, and we never use your cookies for targeted advertising. If you want, you can change your computer’s settings so that it does not accept cookies. We have information here on how you can do that.

Continue

BE-2022-0001: Use of Log4j in RenderFarm component for SYNCHRO 4D Pro and SYNCHRO Pro

Bentley ID: BE-2022-0001 
CVE ID: CVE-2021-44228 
Severity: 10 (Critical) 
CVSS v3.1:  3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 
Publication date: 17th February 2022 
Revision date: 17th February 2022 


Description


Summary: 

The RenderFarm component of SYNCHRO 4D Pro and SYNCHRO Pro includes a Log4j version susceptible to the Log4Shell vulnerability. 

 

Details: 

If you are using the RenderFarm component of SYNCHRO 4D Pro and SYNCHRO Pro and run distributed rendering over the network, you might be at risk of the Log4Shell vulnerability described in CVE-2021-44228 if a malicious attacker can access your render farm and send malicious payloads to it. 

 

Affected Versions:


Applications Affected Versions Mitigated Versions
SYNCHRO 4D Pro  Versions prior to 6.4.3.2 6.4.3.2 and more recent
SYNCHRO Pro  Versions from 6.1 to 6.2.3 and 6.3 6.2.4.2

Recommended Mitigations

Only very few of our users are using the RenderFarm component. If you aren’t using it, you aren’t at risk. You can follow the instructions here to safely remove the Log4j jar file if desired, without affecting SYNCHRO 4D Pro and SYNCHRO Pro functionalities: https://communities.bentley.com/products/construction/w/construction__wiki/57908/ .

Bentley recommends updating to the latest versions of SYNCHRO 4D Pro since the new version does not include this component anymore and SYNCHRO 4D Pro is the replacement product of SYNCHRO Pro. 


Revision History

Date Description
17th February 2022 First version of the advisory