Is Microstation vulnerable to the Log4Shell Vulnerability?

With the recent discovery of the Log4Shell Java/Apache Vulnerability, does this affect Microstation?

Parents
  • HI Evan,

    With the recent discovery of the Log4Shell Java/Apache Vulnerability

    To be precise, it is not Log4Shell issue, but org.apache.logging.log4j:log4j-core package vulnerability, which consequently affects Log4Shell tool, plus any other software, using this package, and also any software, using Log4Shell.

    does this affect Microstation

    As Jon wrote, it is "Java world" issue (but not automatically "server only" problem). MicroStation and other Bentley products typically use Log4Net, which is re-implementation of Log4J software using NET technology. As far as I know, NET variants are not affected (because re-implemented, so in fact different internally).

    When you are interested in security issues, data privacy and related topics, I recommend to see Bentley Trust Center, summarizing both cloud (e.g. GDPR, ISO...) and desktop products (CVE program) are described. As you can see there, MicroStation CE U16.2 fixes a lot of known vulnerabilities, existing in previous versions.

    Regards,

      Jan

Reply
  • HI Evan,

    With the recent discovery of the Log4Shell Java/Apache Vulnerability

    To be precise, it is not Log4Shell issue, but org.apache.logging.log4j:log4j-core package vulnerability, which consequently affects Log4Shell tool, plus any other software, using this package, and also any software, using Log4Shell.

    does this affect Microstation

    As Jon wrote, it is "Java world" issue (but not automatically "server only" problem). MicroStation and other Bentley products typically use Log4Net, which is re-implementation of Log4J software using NET technology. As far as I know, NET variants are not affected (because re-implemented, so in fact different internally).

    When you are interested in security issues, data privacy and related topics, I recommend to see Bentley Trust Center, summarizing both cloud (e.g. GDPR, ISO...) and desktop products (CVE program) are described. As you can see there, MicroStation CE U16.2 fixes a lot of known vulnerabilities, existing in previous versions.

    Regards,

      Jan

Children