BE-2021-0006: Out-of-Bounds and use-after-free vulnerabilities in MicroStation and MicroStation-based applications
Bentley ID: BE-2021-0006
CVE ID: CVE-2021-34879, CVE-2021-34883, CVE-2021-34900, CVE-2021-34906, CVE-2021-34908, CVE-2021-34915, CVE-2021-34917, CVE-2021-46583, CVE-2021-46584, CVE-2021-46603, CVE-2021-46614, CVE-2021-46622, CVE-2021-46626
Severity: Severity : 7.8 (High)
CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Publication date: 7th December 2021
Revision date: 4th February 2022
MicroStation and MicroStation-based applications may be affected by out-of-bounds or use-after-free vulnerabilities when opening maliciously crafted J2K files. Exploiting these vulnerabilities could lead to code execution.
The following vulnerabilities related to this advisory were discovered by TrendMicro ZDI: ZDI-CAN-14832, ZDI-CAN-14836, ZDI-CAN-14867, ZDI-CAN-14879, ZDI-CAN-14881, ZDI-CAN-14893, ZDI-CAN-14895, ZDI-CAN-15377, ZDI-CAN-15378, ZDI-CAN-15397, ZDI-CAN-15408, ZDI-CAN-15416, ZDI-CAN-15456.
Using an affected version of MicroStation or MicroStation-based application to open a j2K file containing maliciously crafted data can trigger an out-of-bounds or use-after-free vulnerability. Exploitation of these vulnerabilities within the parsing of J2K files could enable an attacker to execute arbitrary code in the context of the current process.
|Applications||Affected Versions||Mitigated Versions|
|MicroStation||Versions prior to 10.16.02.*||10.16.02.* and more recent|
|Bentley View||Versions prior to 10.16.02.*||10.16.02.* and more recent|
Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open J2K files coming from trusted sources.
Thanks to Mat Powell of Trend Micro Zero Day Initiative for discovering these vulnerabilities.
|7th December 2021||First version of the advisory|
|4th February 2022||Adding new CVE numbers provided by ZDI|