Bentley identified a security vulnerability discovered in the Rules Engine implementation. The vulnerability affects ProjectWise Explorer CONNECT Edition clients, version 3.1 Refresh Update (10.00.03.167) or earlier, whereby a ProjectWise Explorer user may access data that should be restricted to this user. Bentley strongly encourages you to implement the following solution that resolves the vulnerability.
Details and Potential Impact
While there is not an external security threat, it has been determined that adding the Rules Engine super user and/or rollback user to the Administrator or Restricted Administrator group in ProjectWise Administrator (previously a requirement) presents a potential security risk, allowing access to data that should be restricted.
Recommended Course of Action
A Rules Engine client update is now available and required for all ProjectWise Explorer CONNECT Edition clients, version 3.1 Refresh Update (10.00.03.167) or earlier. Accordingly, Bentley recommends that administrators take the following actions as soon as possible:
- Remove the Rules Engine super user and rollback user from the Administrator or Restricted Administrator group in ProjectWise Administrator.
- The primary ProjectWise Administrator account should not be used as the Rules Engine super user and rollback user.
- Install the Rules Engine client update wherever your users are running ProjectWise Explorer CONNECT Edition, version Update 3.1 or earlier.
- Installing the Rules Engine client update ensures that workflows that rely on the super user and rollback user will work correctly after those users have been removed from the Administrator or Restricted Administrator group.
- Workflows that rely on the super user and rollback user will continue to work correctly if you happen to install the update before you have a chance to remove those users from the Administrator or Restricted Administrator group.
- This Rules Engine client update also includes the latest Rules Engine enhancements and bug fixes (for pre 3.2 versions).
- Review and revise (if needed) the access control permissions set for the super user to ensure the super user has sufficient privileges in the datasource, without needing to be a member of the Administrator group.
The Rules Engine client update can be downloaded from Software Downloads here.
Note: This update is not needed for users running ProjectWise Explorer CONNECT Edition Update 3.2 or later.
Mitigation
The following mitigation may be helpful as well. However, Bentley strongly recommends that you perform the Recommended Course of Action outlined above as soon as possible.
Removing the Rules Engine super user and rollback user from the Administrator or Restricted Administrator group in ProjectWise Administrator fully eliminates the security risk. However, this may cause workflows that rely on those users to not work correctly.