All Advisories / BE-2024-0002

BE-2024-0002

BE-2024-0002: ProjectWise Integration Server SQL API abuse

Bentley ID: BE-2024-0002
CVE ID: CVE-2024-53007
Severity: 5.8
CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:P/RL:T/RC:C
Publication date: 2025-01-28
Revision date: 2025-01-28

Summary
The ProjectWise Integration Server application has an API for clients to request SQL query execution that may be abused by an authenticated user with application-level subject matter expertise.

Details
The ProjectWise Integration Server exposes many APIs for users to customize the behavior of the application. This feature is leveraged by a majority of our users. Some calls of this API may be abused by a malicious insider to obtain or manipulate data from the SQL database. This could lead to bypass of access control or tampering of data. Bentley is already implementing plans to deprecate this API in future versions of ProjectWise. This depreciation plan is being carefully designed with our Users to not negatively impact the stability and availability of current global ProjectWise deployments.

Affected Versions

Applications Affected Versions Mitigated Versions
ProjectWise Integration Server <10.00.03.288 >=10.00.03.288

 

Recommended Mitigations
Follow industry standard guidance on authentication of users including mandating robust 2FA. Follow industry standard guidance on regular and independent internal privileged access reviews. Make sure to follow best practices to minimize ProjectWise database user permissions : https://docs.bentley.com/LiveContent/web/ProjectWise%20Design%20Integration-v2024/Implementation%20Guide/en/html5/topics/6379/GUID-173543FA-9B56-CF33-D07B-035674B61BCF.html . Upgrade to latest versions of ProjectWise Integration server and enable the SQL Allow List to help minimize the risk of malicious SQL queries to be executed. See this link for how to configure it: https://docs.bentley.com/LiveContent/web/ProjectWise%20Administrator%20Help-v13/en/GUID-362761CD-A0C5-42C0-9CB1-82F538D8E86C.html . For ProjectWise Cloud users, you are always using the latest version but need to open a service ticket to request enabling the SQL Allow List for your instance.

Acknowledgement
Thanks to Andre Botelho, Robert Ingrube and Riedmair Josef from Siemens Energy

Revision History

Date Description
2025-01-28 First version of this advisory
2025-02-17 Change ‘whitelist’ for ‘SQL Allow List’

20% Off Bentley Software

Deal Ends Friday

Use Coupon Code "THANKS24"

Celebrate Infrastructure Delivery & Performance Excellence

The 2024 Year in Infrastructure
and Going Digital Awards

Nominate a project for the most prestigious awards in infrastructure! Extended deadline to enter is April 29th.