ROB-EX is unaffected by the Spring4Shell vulnerability
We have conducted an internal security investigation to assess if ROB-EX is affected by the Spring4Shell vulnerability. The conclusion is that no ROB-EX module or component between ROB-EX v4.2 – ROB-EX v7.2 is affected (we have not investigated versions older than v4.2).
The detailed results from our internal security investigation are the following
- The only ROB-EX product using Spring is Multiuser Server 7.0 and Multiuser Server 7.2
- The exploit requires use of Java 9 and higher to be exploited.
- The ROB-EX 7.0 server uses Java 8 and is thus not affected by this exploit
- The ROB-EX 7.2 server uses Java 17. This server version uses Spring Boot v2.6.6 or newer where the Spring4Shell vulnerability is fixed.
- The exploit requires a Servlet container packaged as WAR to be exploited. The ROB-EX 7.0 and 7.2 server is packaged as a JAR and is thus not affected by this exploit
Our conclusion is that ROB-EX customers will not have to take additional actions to secure their ROB-EX installation in relation to the Spring4Shell vulnerability.