Login Sign Up

CVE-2021-34937

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-34937 is a use-after-free vulnerability in Bentley View's JT file parser that allows remote code execution when users open malicious JT files. Attackers can exploit this to execute arbitrary code with the privileges of the current user. This affects users of Bentley View 10.15.0.75 who open untrusted JT files.

💻 Affected Systems

Products:
  • Bentley View
Versions: 10.15.0.75
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction to open malicious JT file. All default configurations are vulnerable.

📦 What is this software?

Bentley View by Bentley

View all CVEs affecting Bentley View →

Microstation by Bentley

View all CVEs affecting Microstation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation or data exfiltration when users open malicious JT files from untrusted sources.

🟢

If Mitigated

Limited impact if proper application whitelisting and user training prevent execution of malicious files.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious file is opened. ZDI has published advisory details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Bentley View version 10.16.02 or later

Vendor Advisory: https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005

Restart Required: Yes

Instructions:

1. Download latest Bentley View from official Bentley website. 2. Install update. 3. Restart system. 4. Verify version is 10.16.02 or higher.

🔧 Temporary Workarounds

Disable JT file association

windows

Remove JT file type association with Bentley View to prevent automatic opening

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .jt > Change program > Choose different application

Application control policy

windows

Implement application whitelisting to block execution of Bentley View from untrusted locations

🧯 If You Can't Patch

  • Implement strict email filtering to block JT attachments
  • Train users to never open JT files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Bentley View version: Open Bentley View > Help > About. If version is 10.15.0.75, system is vulnerable.

Check Version:

Not applicable - check via GUI only

Verify Fix Applied:

Verify Bentley View version is 10.16.02 or higher in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

  • Process creation events for Bentley View with suspicious parent processes
  • File access events for JT files from unusual locations

Network Indicators:

  • Outbound connections from Bentley View process to unknown IPs
  • JT file downloads from untrusted sources

SIEM Query:

Process Creation where Image contains 'BentleyView.exe' AND ParentImage NOT IN ('explorer.exe', 'cmd.exe')

📊 Metadata

CVE ID: CVE-2021-34937
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: January 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34937, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)