BE-2022-0014: J2K File Parsing Out-of-bounds Read Vulnerabilities in MicroStation and MicroStation-based applications
Bentley ID: BE-2022-0014
CVE ID: CVE-2022-35901
Severity: 3.3 (low)
CVSS v3.1: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Publication date: 13th July 2022
Revision date: 18th July 2022
Summary
MicroStation and MicroStation-based applications may be affected by out-of-bounds read vulnerabilities when opening maliciously crafted J2K files. Exploiting these vulnerabilities could lead to information disclosure.
Details
Using an affected version of MicroStation or MicroStation-based application to open a J2K file containing maliciously crafted data can force an out-of-bounds read. Exploitation of these vulnerabilities within the parsing of J2K files could enable an attacker to read information in the context of the current process.
Affected Versions of Products
| Product | Affected Version | Fixed Version |
|---|---|---|
| MicroStation | 10.16.* and prior versions | 10.17.0.* and more recent |
| Bentley View | 10.16.* and prior version | 10.17.0.* and more recent |
Recommended Mitigations
Bentley recommends updating to the latest versions of MicroStation and MicroStation-based applications. As a general best practice, it is also recommended to only open J2K files coming from trusted sources.
Acknowledgement
Thanks to xina1i for discovering these vulnerabilities.
Revision History
| Date | Description |
|---|---|
| 13th July 2022 | First version of the advisory |
| 18th July 2022 | Adding CVE number |
