Tutti gli avvisi / BE-2024-0002

BE-2024-0002

BE-2024-0002: ProjectWise Integration Server SQL API abuse

Bentley ID: BE-2024-0002
CVE ID: CVE-2024-53007
Severity: 5.8
CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:T/RC:C
Publication date: 2025-01-28
Revision date: 2025-01-28

Summary
The ProjectWise Integration Server application has an API for clients to request SQL query execution that may be abused by an authenticated user with application-level subject matter expertise.

Details
The ProjectWise Integration Server exposes many APIs for users to customize the behavior of the application. This feature is leveraged by a majority of our users. Some calls of this API may be abused by a malicious insider to obtain or manipulate data from the SQL database. This could lead to bypass of access control or tampering of data. Bentley is already implementing plans to deprecate this API in future versions of ProjectWise. This depreciation plan is being carefully designed with our Users to not negatively impact the stability and availability of current global ProjectWise deployments.

Affected Versions

Applications Affected Versions Mitigated Versions
ProjectWise Integration Server >=10.00.03.288

 

Recommended Mitigations
Follow industry standard guidance on authentication of users including mandating robust 2FA. Follow industry standard guidance on regular and independent internal privileged access reviews. Make sure to follow best practices to minimize ProjectWise database user permissions : https://docs.bentley.com/LiveContent/web/ProjectWise%20Design%20Integration-v2024/Implementation%20Guide/en/html5/topics/6379/GUID-173543FA-9B56-CF33-D07B-035674B61BCF.html . Upgrade to latest versions of ProjectWise Integration server and enable the SQL Allow List to help minimize the risk of malicious SQL queries to be executed. See this link for how to configure it: https://docs.bentley.com/LiveContent/web/ProjectWise%20Administrator%20Help-v13/en/GUID-362761CD-A0C5-42C0-9CB1-82F538D8E86C.html . For ProjectWise Cloud users, you are always using the latest version but need to open a service ticket to request enabling the SQL Allow List for your instance.

Acknowledgement
Thanks to Andre Botelho, Robert Ingrube and Riedmair Josef from Siemens Energy

Revision History

Date Descrizione
28-01-2025 Prima versione dell'avviso
17-02-2025 Change ‘whitelist’ for ‘SQL Allow List’
Hai bisogno di assistenza?
Opzioni di accessibilità
Torna all'inizio
Logo nero di Bentley Systems

Costruisci con noi

Studenti e insegnanti
Sviluppatori
Ricerca sui prodotti

Esplora

Software
Licenze e abbonamenti
Il mio account/Crea profilo
Visualizza i software
Risorse

Storie e notizie

Notizie
Blog
Infrastructure Yearbook
Digital Currency Newsletter

Società

Informazioni
Opportunità di lavoro
Contattaci
Investitori
Eventi
Year in Infrastructure
Sostenibilità
COP

Supporto

Centro assistenza
Formazione
Servizi
Community di Bentley

Investimenti

Fondo Bentley iTwin Ventures

Ufficio legale

Panoramica legale
Trust Center

Imprese e partner

Channel Partner e partner di formazione
Seequent, The Bentley Subsurface Company
Cohesive
Cesium

Informativa sulla privacy | Condizioni d'uso | Cookie

Facebook LinkedIn YouTube Instagram
© 2025 Bentley Systems, incorporated

20% di sconto sui software di Bentley

L'offerta termina venerdì

Usa il codice coupon "THANKS24"

Acquista ora

Celebra la realizzazione di infrastrutture e l’eccellenza delle prestazioni

Year in Infrastructure e Going Digital Awards 2024

Candida un progetto per i premi più prestigiosi nel settore delle infrastrutture! La scadenza prorogata per partecipare è il 29 aprile.

Candida un progetto