ROB-EX is unaffected by the Spring4Shell vulnerability

We have conducted an internal security investigation to assess if ROB-EX is affected by the Spring4Shell vulnerability. The conclusion is that no ROB-EX module or component between ROB-EX v4.2 – ROB-EX v7.2 is affected (we have not investigated versions older than v4.2).

The detailed results from our internal security investigation are the following

  • The only ROB-EX product using Spring is Multiuser Server 7.0 and Multiuser Server 7.2
  • The exploit requires use of Java 9 and higher to be exploited.
    • The ROB-EX 7.0 server uses Java 8 and is thus not affected by this exploit
    • The ROB-EX 7.2 server uses Java 11. This server version uses Spring Boot v2.6.6 or newer where the Spring4Shell vulnerability is fixed.
  • The exploit requires a Servlet container packaged as WAR to be exploited. The ROB-EX 7.0 and 7.2 server is packaged as a JAR and is thus not affected by this exploit

Our conclusion is that ROB-EX customers will not have to take additional actions to secure their ROB-EX installation in relation to the Spring4Shell vulnerability.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment