Log4net issues appear in security scans for OpenFlows products

Product(s): WaterGEMS, WaterCAD, HAMMER, SewerGEMS, SewerCAD, StormCAD, CivilStorm
Version(s): 10.03.05.05 and earlier (water), 10.03.04.53 and earlier (storm/sewer)
Area: Security

Problem

A system security scan indicates a security issue with a log4net version before 2.0.10 (not to be confused with Log4j), for one or more of the above Bentley OpenFlows products.

Solution

This has been known to appear in security scans because of the way in which these products use XML configuration files. See further below for the CVEs (Common Vulnerability Exposure) entries.

As of August 2nd, 2022: Bentley analyzed and found that CVEs for Log4Net are not exploitable in our context given the attack vector described. An attacker would need to have full control over the system in order to exploit these vulnerabilities locally. Therefore, this should be considered as low or no risk.

Regardless, we have upgraded this library for future versions of these products. The upgraded library will be included in versions 10.04.00.XX and higher (estimated release date: Q3 2022). See below for information on upgrading when available.

See Also

National Vulnerability Database: CVE-2006-0743

National Vulnerability Database: CVE-2018-1285                     

How to receive alerts on new version availability

Downloading OpenFlows Software

Recommended
Related