Proficy Scheduler is unaffected by the Spring4Shell vulnerability
We have conducted an internal security investigation to assess if Proficy Scheduler is affected by the Spring4Shell vulnerability. The conclusion is that no Proficy Scheduler module or component between Proficy Scheduler v4.2 – Proficy Scheduler v7.2+ is affected (we have not investigated versions older than v4.2).
The detailed results from our internal security investigation are the following
- The only Proficy Scheduler product using Spring is Multiuser Server 7.0 and Multiuser Server 7.2
- The exploit requires use of Java 9 and higher to be exploited.
- The Proficy Scheduler 7.0 server uses Java 8 and is thus not affected by this exploit
- The Proficy Scheduler 7.2 server or newer uses Java 11+. This server version uses Spring Boot v2.6.6 or newer where the Spring4Shell vulnerability is fixed.
- The exploit requires a Servlet container packaged as WAR to be exploited. The Proficy Scheduler 7.0 and 7.2+ server is packaged as a JAR and is thus not affected by this exploit
Our conclusion is that Proficy Scheduler customers will not have to take additional actions to secure their Proficy Scheduler installation in relation to the Spring4Shell vulnerability.
Post your comment on this topic.