Proficy Scheduler is unaffected by the Log4Shell vulnerability
We have conducted an internal security investigation to assess if Proficy Scheduler is affected by the Log4Shell vulnerability. The conclusion is that no Proficy Scheduler module or component between Proficy Scheduler v4.2 – Proficy Scheduler v7.0 is affected (we have not investigated versions older than v4.2).
The detailed results from our internal security investigation are the following
- The only Proficy Scheduler product using Log4j is the JBoss Multiuser Server used for Proficy Scheduler v6.4 and older. The JBoss version used runs on Log4j v1.2.8. This Log4j version is not affected (only Log4j v2.0 and later are affected by the Log4Shell vulnerability).
- Proficy Scheduler Multiuser Server v7.0 and newer uses Logback logging. Logback is not affected by the mentioned security issue.
- Our Proficy Scheduler client including Shopfloor has been running Logback logging for the past many years. Logback is not affected by the mentioned security issue.
- Our Proficy Scheduler License Server does not use Log4j either, so again no problems here.
Our conclusion is that Proficy Scheduler customers will not have to take additional actions to secure their Proficy Scheduler installation in relation to the Log4Shell vulnerability.
Post your comment on this topic.