CVE-2021-34917: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34917 is a use-after-free vulnerability affecting Bentley View version 10.15.0.75. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and publicly disclosed on December 8th, 2021. The vulnerability affects the J2K file parsing functionality in Bentley View and MicroStation-based applications (Bentley Advisory, ZDI Advisory).

The vulnerability exists within the parsing of J2K files and results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that while local access and user interaction are required, the vulnerability can lead to high impacts on confidentiality, integrity, and availability (ZDI Advisory).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. This means an attacker could potentially gain the same privileges as the application running the vulnerable code (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. As a general best practice, it is recommended to only open J2K files coming from trusted sources (Bentley Advisory).