CVE-2021-34908: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34908 is a use-after-free vulnerability discovered in Bentley View 10.15.0.75 and MicroStation-based applications. The vulnerability was identified and reported by Mat Powell of Trend Micro Zero Day Initiative and was publicly disclosed on December 8, 2021. The vulnerability affects the parsing of J2K files and received a CVSS v3.1 base score of 7.8 (High) (NVD, ZDI Advisory).

The vulnerability exists within the J2K file parsing functionality and stems from the lack of validating the existence of an object prior to performing operations on it. This use-after-free condition occurs when the application attempts to access memory after it has been freed, which can lead to arbitrary code execution in the context of the current process. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (Vendor Advisory).

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected installations of Bentley View and MicroStation-based applications. The attack requires user interaction, specifically that the target must visit a malicious page or open a malicious J2K file (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. The vendor recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open J2K files coming from trusted sources (Vendor Advisory).