With the recent discovery of the Log4Shell Java/Apache Vulnerability, does this affect Microstation?
HI Evan,
Evan Tinder said:With the recent discovery of the Log4Shell Java/Apache Vulnerability
To be precise, it is not Log4Shell issue, but org.apache.logging.log4j:log4j-core package vulnerability, which consequently affects Log4Shell tool, plus any other software, using this package, and also any software, using Log4Shell.
Evan Tinder said:does this affect Microstation
As Jon wrote, it is "Java world" issue (but not automatically "server only" problem). MicroStation and other Bentley products typically use Log4Net, which is re-implementation of Log4J software using NET technology. As far as I know, NET variants are not affected (because re-implemented, so in fact different internally).
When you are interested in security issues, data privacy and related topics, I recommend to see Bentley Trust Center, summarizing both cloud (e.g. GDPR, ISO...) and desktop products (CVE program) are described. As you can see there, MicroStation CE U16.2 fixes a lot of known vulnerabilities, existing in previous versions.
Regards,
Jan
Bentley Accredited Developer: iTwin Platform - AssociateLabyrinth Technology | dev.notes() | cad.point
There is a log4j.dtd file at Workspace\system\data of MS SS10, it is a text/configuration file related to log4j, not log4net.
But only Bentley knows how this is used.
Reimo said:There is a log4j.dtd file at Workspace\system\data of MS SS10
Not in my installation of MicroStation CONNECT Update 16.2
Reimo said:only Bentley knows how this is used
A DTD file is an XML document type definition. It's a data file used to validate an XML file using a known schema.
Regards, Jon Summers LA Solutions
Reimo said: it is a text/configuration file related to log4j
DTD file does not configure anything. As the extension tells, it is document type definition, in this case hypothetically used in log4j.xml configuration file (that does not exist).
Reimo said:not log4net.
It sounds like nonsense to me: From existence of some relic file, you decided that another logging library is not used? Logging through log4net is standard part of power platform product and can be found also in API (when proper NET assembly is referenced).
Reimo said:But only Bentley knows how this is used.
For nothing, because MicroStation does not contain any Java runtime.
Dear Jan,
I have decided nothing, gave only the information that a file exists. Everything else was your interpretation (which is wrong).
Bentley is also using log4cxx, and may use this file for this kind of logging, since it is also part of the recent Lumen RT 14, so I don´t believe that it is not used at all, but I don´t like to speculate.
Best Regards,
Reimo
For Microstation there is such list:
Common Vulnerability Exposure Program (bentley.com)