CVE-2021-34918: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

CVE-2021-34918 is a vulnerability discovered in Bentley View version 10.15.0.75 that allows remote attackers to execute arbitrary code. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on December 8, 2021. The vulnerability affects Bentley View and MicroStation applications prior to version 10.16.02 (ZDI Advisory, Bentley Advisory).

The vulnerability exists within the parsing of JP2 files. Specifically, crafted data in a JP2 file can trigger a write past the end of an allocated buffer, classified as CWE-787 (Out-of-bounds Write). The vulnerability has received a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, an attacker can leverage this vulnerability to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, specifically that the target must visit a malicious page or open a malicious file (ZDI Advisory).

Bentley has issued an update to correct this vulnerability. Users should update to version 10.16.02 or later of the affected applications. As a general best practice, it is also recommended to only open JP2 files coming from trusted sources (Bentley Advisory).