A few users have reported Log4j security concern after scanning SYNCHRO Pro or SYNCHRO 4D Pro directory:
C:\Program Files\Bentley\SYNCHRO\Pro\render_farm_client.jar (for SYNCHRO Pro)
C:\Program Files\Bentley\SYNCHRO\4D Pro\render_farm_client.jar (for SYNCHRO 4D Pro)
render_farm_client.jar is only included into SYNCHRO Pro and SYNCHRO 4D Pro installer. It does not run with SYNCHRO Pro or SYNCHRO 4D Pro by default. If a user does not configure the network for distributed Iray rendering then it is not used at all.
Example of render_farm_client.jar in SYNCHRO 4D Pro installation directory:
Applications
Affected Versions
Mitigated Product and Versions
SYNCHRO 4D Pro
Versions prior to 6.4.3.*
6.4.3.* and more recent
SYNCHRO Pro
Versions from 6.1 to 6.3.
Versions 6.0 and prior are NOT affected.
SYNCHRO 4D Pro 6.4.3.* and more recent versions. SYNCHRO 4D Pro is the replacement product for SYNCHRO Pro.
For users who are concerned about the render_farm_client.jar component and in doubt of its security, the file and its directory (C:\Program Files\Bentley\SYNCHRO\Pro\render_farm_client.jar or C:\Program Files\Bentley\SYNCHRO\4D Pro\render_farm_client.jar) can be removed completely. Removal of these files will not affect SYNCHRO Pro or SYNCHRO 4D Pro functionalities.
We are planning to exclude render_farm_client.jar completely from the SYNCHRO 4D Pro package in the upcoming release 6.4.3.0. This is because an update to this third-party component is not available and there is no reported usage on render_farm_client.jar.