CVE-2021-46603: 
Bentley MicroStation CONNECT vulnerability analysis and mitigation

This vulnerability (CVE-2021-46603) affects Bentley MicroStation CONNECT version 10.16.0.80. The vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on January 31, 2022. It impacts the J2K image parsing functionality within the software. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (Vendor Advisory, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data length before copying it to a heap-based buffer during J2K image parsing. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that while local access and user interaction are required, the vulnerability can lead to high impacts on confidentiality, integrity, and availability (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. This means an attacker could potentially gain the same privileges as the user running the application, leading to unauthorized control over the affected system (ZDI Advisory).

Bentley has released version 10.16.02.* and more recent versions to address this vulnerability. Users are recommended to update to the latest version of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open J2K files from trusted sources (Vendor Advisory).