See Bentley's public announcement on Log4j here.
Issue description
A few users have reported Log4j security concern after scanning SYNCHRO Pro or SYNCHRO 4D Pro directory:
C:\Program Files\Bentley\SYNCHRO\Pro\render_farm_client.jar (for SYNCHRO Pro)
C:\Program Files\Bentley\SYNCHRO\4D Pro\render_farm_client.jar (for SYNCHRO 4D Pro)
render_farm_client.jar is only included into SYNCHRO Pro and SYNCHRO 4D Pro installer. It does not run with SYNCHRO Pro or SYNCHRO 4D Pro by default. If a user does not configure the network for distributed Iray rendering then it is not used at all.
Example of render_farm_client.jar in SYNCHRO 4D Pro installation directory:
Affected Versions
|
Applications |
Affected Versions |
Mitigated Product and Versions |
|
SYNCHRO 4D Pro |
Versions prior to 6.4.3.* |
6.4.3.* and more recent |
|
SYNCHRO Pro |
Versions from 6.1 to 6.3. Versions 6.0 and prior are NOT affected. |
SYNCHRO 4D Pro 6.4.3.* and more recent versions. SYNCHRO 4D Pro is the replacement product for SYNCHRO Pro. |
Solution
For users who are concerned about the render_farm_client.jar component and in doubt of its security, the file and its directory (C:\Program Files\Bentley\SYNCHRO\Pro\render_farm_client.jar or C:\Program Files\Bentley\SYNCHRO\4D Pro\render_farm_client.jar) can be removed completely. Removal of these files will not affect SYNCHRO Pro or SYNCHRO 4D Pro functionalities.
We are planning to exclude render_farm_client.jar completely from the SYNCHRO 4D Pro package in the upcoming release 6.4.3.0. This is because an update to this third-party component is not available and there is no reported usage on render_farm_client.jar.