CVE-2021-46582: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46582) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022. It involves a use-after-free vulnerability in the parsing of JP2 images, where the software fails to validate the existence of an object before performing operations on it (Zero Day Initiative, Vendor Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the parsing of JP2 images, where the application fails to properly validate the existence of an object before performing operations on it. This vulnerability is tracked as ZDI-CAN-15376 (Zero Day Initiative).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically the target must visit a malicious page or open a malicious file (Zero Day Initiative).

Bentley has issued an update to address this vulnerability. Users should upgrade to version 10.16.02 or later of MicroStation and MicroStation-based applications. As a general best practice, it is recommended to only open JP2 files from trusted sources (Vendor Advisory).