Bentley has identified a security vulnerability in the Workflow Rules Engine implementation. The vulnerability affects ProjectWise Explorer CONNECT Edition clients, version 3.1 10.00.03.167 and prior, whereby a ProjectWise Explorer user may access data that should be restricted to this user. Bentley strongly encourages you to implement the following solution that resolves the vulnerability.
While there is not an external security threat, it has been determined that adding the Rules Engine super user and/or rollback user to the Administrator or Restricted Administrator group in ProjectWise Administrator (previously a requirement) presents a potential security risk, allowing access to data that should be restricted.
A Rules Engine client update is now available and required for all ProjectWise Explorer CONNECT Edition clients, version 3.1 Refresh Update (10.00.03.167) or prior. Accordingly, Bentley recommends that administrators take the following actions as soon as possible:
The Rules Engine patch for ProjectWise Explorer can be downloaded from Software Downloads by going to the ProjectWise Explorer download page, clearing the default filters, and locating the "ProjectWise Explorer Workflow Rules Engine Update Module" in the list of available downloads.
Note: This update is not needed for users running ProjectWise Explorer CONNECT Edition Update 3.2 or later.
The following mitigation may be helpful as well. However, Bentley strongly recommends that you perform the Recommended Course of Action outlined above as soon as possible.
Removing the Rules Engine super user and rollback user from the Administrator or Restricted Administrator group in ProjectWise Administrator fully eliminates the security risk. However, this may cause workflows that rely on those users to not work correctly.
ProjectWise user organizations who enable Bring Your Own Visa (BYOV) for external project participants where workflow rules engine is in use, must take the following steps to ensure accurate usage tracking of PWDI Visas for these external project participants.