ROB-EX is unaffected by the Log4Shell vulnerability
We have conducted an internal security investigation to assess if ROB-EX is affected by the Log4Shell vulnerability. The conclusion is that no ROB-EX module or component between ROB-EX v4.2 – ROB-EX v7.0 is affected (we have not investigated versions older than v4.2).
The detailed results from our internal security investigation are the following
- The only ROB-EX product using Log4j is the JBoss Multiuser Server used for ROB-EX v6.4 and older. The JBoss version used runs on Log4j v1.2.8. This Log4j version is not affected (only Log4j v2.0 and later are affected by the Log4Shell vulnerability).
- ROB-EX Multiuser Server v7.0 and newer uses Logback logging. Logback is not affected by the mentioned security issue.
- Our ROB-EX client including Shopfloor has been running Logback logging for the past many years. Logback is not affected by the mentioned security issue.
- Our ROB-EX License Server does not use Log4j either, so again no problems here.
Our conclusion is that ROB-EX customers will not have to take additional actions to secure their ROB-EX installation in relation to the Log4Shell vulnerability.