December 16th, 2021
An update on the Apache Log4j vulnerability from our Chief Information Security officer
In addition to monitoring for intrusion, our security teams have been analyzing each of our products to ensure they have not been compromised. If we identify any breaches in our products and systems, we will notify the users impacted immediately.
We have reviewed our product portfolio as an update to the above. This review found three services were vulnerable to the (now two) log4j related CVEs, which we have successfully mitigated in our production environments. We continue to see no evidence of exploitation.
The impacted services were:
As mentioned above, the vulnerabilities in these services have been mitigated, and there is no evidence of exploitation. There is no action required by any users of these Bentley-hosted services.
In addition, we have to date confirmed that no Bentley desktop or server installed (on-premise) product requires users to perform any actions regarding mitigation of these CVE’s. We will continue to monitor this situation and provide relevant updates as needed.
Tom CibelliChief Information Security OfficerBentley Systems
Previous Update - December 14th, 2021
On December 9th, 2021 a “Zero Day” exploit was reported in the Java logging library “log4j,” vulnerability was reported in the Java logging library “log4j,” which indicates the library could be susceptible to malicious Remote Code Execution (RCE) attacks.
Once Bentley was notified, our security experts launched an investigation to determine whether this attack impacted our systems, products, and/or services. We are pleased to report that, at this time, Bentley has found no evidence our systems have been compromised by this attack or that an intrusion has occurred.
Bentley administers in-depth defense practices with all of our systems and services using technologies that are built to detect and mitigate zero-day exploits, including Endpoint Detection and Response (EDR), heuristic and signature-based antivirus software, as well as continuous network monitoring. These practices are put in place to ensure our users can continue working at full capacity during an attempted cyberattack and with the knowledge that your work will be protected.
Bentley’s Information Security team will continue to actively monitor and respond to this developing situation as it would with all security concerns. Users are encouraged to monitor our Common Vulnerability Exposure Program for continuous updates.
As a Bentley user, you can rest assured that protecting your data is our top priority