With the recent discovery of the Log4Shell Java/Apache Vulnerability, does this affect Microstation?
Evan Tinder said:With the recent discovery of the Log4Shell Java/Apache Vulnerability
To be precise, it is not Log4Shell issue, but org.apache.logging.log4j:log4j-core package vulnerability, which consequently affects Log4Shell tool, plus any other software, using this package, and also any software, using Log4Shell.
Evan Tinder said:does this affect Microstation
As Jon wrote, it is "Java world" issue (but not automatically "server only" problem). MicroStation and other Bentley products typically use Log4Net, which is re-implementation of Log4J software using NET technology. As far as I know, NET variants are not affected (because re-implemented, so in fact different internally).
When you are interested in security issues, data privacy and related topics, I recommend to see Bentley Trust Center, summarizing both cloud (e.g. GDPR, ISO...) and desktop products (CVE program) are described. As you can see there, MicroStation CE U16.2 fixes a lot of known vulnerabilities, existing in previous versions.
Bentley Accredited Developer: iTwin Platform - AssociateLabyrinth Technology | dev.notes() | cad.point
There is a log4j.dtd file at Workspace\system\data of MS SS10, it is a text/configuration file related to log4j, not log4net.
But only Bentley knows how this is used.
Reimo said:There is a log4j.dtd file at Workspace\system\data of MS SS10
Not in my installation of MicroStation CONNECT Update 16.2
Reimo said:only Bentley knows how this is used
A DTD file is an XML document type definition. It's a data file used to validate an XML file using a known schema.
Regards, Jon Summers LA Solutions