Product(s): |
WaterGEMS, WaterCAD, HAMMER, SewerGEMS, SewerCAD, StormCAD, CivilStorm |
Version(s): |
10.03.05.05 and earlier (water), 10.03.04.53 and earlier (storm/sewer) |
Area: |
Security |
Problem
A system security scan indicates a security issue with a log4net version before 2.0.10 (not to be confused with Log4j), for one or more of the above Bentley OpenFlows products.
Solution
This has been known to appear in security scans because of the way in which these products use XML configuration files. See further below for the CVEs (Common Vulnerability Exposure) entries.
As of August 2nd, 2022: Bentley analyzed and found that CVEs for Log4Net are not exploitable in our context given the attack vector described. An attacker would need to have full control over the system in order to exploit these vulnerabilities locally. Therefore, this should be considered as low or no risk.
Regardless, we have upgraded this library for future versions of these products. The upgraded library is included in versions 10.04.00.XX and higher. See below for information on upgrading.
See Also
National Vulnerability Database: CVE-2006-0743
National Vulnerability Database: CVE-2018-1285
How to receive alerts on new version availability
Downloading OpenFlows Software