ROB-EX is unaffected by the Spring4Shell vulnerability
We have conducted an internal security investigation to assess if ROB-EX is affected by the Spring4Shell vulnerability. The conclusion is that no ROB-EX module or component between ROB-EX v4.2 – ROB-EX v7.0 is affected (we have not investigated versions older than v4.2).
The detailed results from our internal security investigation are the following
- The only ROB-EX product using Spring is Multiuser Server 7.0
- The exploit requires use of Java 9 and higher to be exploited. The ROB-EX 7.0 server uses Java 8 and is thus not affected by this exploit
- The exploit requires a Servlet container packaged as WAR to be exploited. The ROB-EX 7.0 server is packaged as a JAR and is thus not affected by this exploit
Our conclusion is that ROB-EX customers will not have to take additional actions to secure their ROB-EX installation in relation to the Spring4Shell vulnerability.