CVE-2021-34906: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34906 is a vulnerability discovered in Bentley View software affecting its J2K file parsing functionality. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on December 8, 2021. The vulnerability affects versions of Bentley View prior to 10.16.02.* (Bentley Advisory).

The vulnerability exists within the parsing of J2K files and results from the lack of validating the existence of an object prior to performing operations on the object. It is classified as a use-after-free vulnerability that could lead to code execution. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) (ZDI Advisory).

An attacker can leverage this vulnerability to execute arbitrary code in the context of the current process. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. As a general best practice, it is recommended to only open J2K files coming from trusted sources (Bentley Advisory).