CVE-2021-46567: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46567) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability allows remote attackers to execute arbitrary code when users interact with maliciously crafted JT files. The issue was discovered by xina1i and was reported through the Zero Day Initiative (ZDI-CAN-15028) (ZDI Advisory, Bentley Advisory).

The vulnerability stems from the lack of validating the existence of an object prior to performing operations on the object during JT file parsing. This use-after-free condition can be exploited to execute code in the context of the current process. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to full system compromise with the privileges of the user running the application. The attack requires user interaction, specifically opening a maliciously crafted JT file (ZDI Advisory).

Bentley has released version 10.16.02 and later versions of MicroStation and MicroStation-based applications to address this vulnerability. Users are recommended to update to the latest version. Additionally, as a general best practice, users should only open JT files from trusted sources (Bentley Advisory).