Version 1.4.22

Build: 1.4.22-31

Release date: 22.02.23

This is a bugfix release that also includes security fixes.

See our blog (OPC UA Pwn2Own 2023 Resource Exhaustion Exploit) for more information about the security issues. We recommend everyone to update to this version.


  • Fixed: Decimal values not accepted for variable value scaling factor and offset.

  • Fixed: ┬┤Default Byte Order┬┤ settings for Devices not working properly.

  • New: Allow configuring the global maximum number of bits read per one Modbus read (maxBitsPerModbusRead) via the configuration file (uaServerConfig.xml). The standard value defined by Modbus specification is 2000 bits, i.e, 2000 coils (1 bit) or 125 registers (8 bit).g

Version 1.4.20

Build: 1.4.20-16

Release date: 13.12.22

This is a bugfix release. Due to SDK version updates, also some memory leak fixes are included and we recommend updating to this version.

In addition, this release contains security-related improvements for user configuration.


  • Security: Improvement for user configuration.

  • Updated log4j2 to version 2.19.0. This update is not related to security.

  • New: Allow configuring the maximum number of MonitoredItems per Subscription (maxItemsPerSubscription) via the configuration file (uaServerConfig.xml).

  • Fixed: The log4j2.xml initial logging configuration file was not UTF-8.

Version 1.4.18

Build: 1.4.18-5

Release date: 12.05.22

This is a hotfix release of Prosys OPC UA Modbus Server. It fixes an issue with older 1.4.x releases where the server endpoint configuration could not be saved.

Also please note that in 1.4.16 there was an important security fix, thus everyone is recommended to update to this version instead (even though there isn’t a security reason to do so, IF you already updated to 1.4.16).


  • Fixed: Endpoints settings could not be saved.

Version 1.4.16

Build: 1.4.16-686

Release date: 11.05.22

This is a security release of Prosys OPC UA Modbus Server. Everyone is recommended to update to this version.

The security update (via updated SDK version) fixes a scenario where an attacker could cause the server to starve an internal thread pool, causing a Denial of Service (DoS). The exploit enables an unauthorized attacker to block the server applications so that they will no longer be able to serve client applications. Thus, we recommend everyone to update to this version. For more details see Pwn2Own resource exhaustion exploit.


Plus a number of other small changes.

Version 1.4.14

Build: 1.4.14-683

Release date: 21.03.22

This is a hotfix release of Prosys OPC UA Modbus Server. It fixes an issue with the 1.4.12 release, where some of the tables in the configuration views could not be opened or were empty.

This version also includes latest log4j2 version 2.17.2. Though it should be noted that this is a normal update of the library, i.e. not a security-related one.


  • Fixed: Some table views were empty or could not be opened.

  • Updated: log4j2 to version 2.17.2.

Version 1.4.12

Build: 1.4.12-677

Release date: 17.02.22

This version fixes bugs, memory and security issues.

The application now uses JavaFX version 17.0.2, which fixes some memory leaks.

This version also updates used log4j2 from version 2.16.0 to 2.17.1. See for more information. There are 2 new CVEs after 2.16.0. However, as far as we understand in practice they have no impact per se, even if technically we are affected by one of them. Regardless, we do recommend everyone to update to this version. For the CVE-2021-45105, the default logging configuration does not include MDC in the pattern, thus we should not be affected.

For the CVE-2021-44832, per apache’s page: "(previous versions) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file". So the filesystem would have to be compromised for this to happen. In general our applications do not expect a hostile (local) environment. Typically this kind of vulnerability could be used for a privilege escalation attack, but Modbus Server for better or worse requires admin priviledges to run. Thus the created configuration files at the first startup are admin-owned, thus there is nothing to escalate to, the attacker could just do already everything they could do via Modbus Server in a more complicated way. Thus, this CVE in practice has no impact, but we still do recommend to update just in case. NOTE! for the "portable install" and docker distributions, there could be more impact if the user running the application differs from the one unzipping the distribution and/or if that user has higher privileges on the system.


  • New: Added support for multiple serial slave devices in one serial port.

  • Updated: log4j2 to version 2.17.1.

  • Updated: JavaFX to version 17.0.2.

Plus a number of other small changes.

Version 1.4.10

Build: 1.4.10-668

Release date: 16.12.2021

This is a security release of Prosys OPC UA Modbus Server. Everyone is recommended to update to this version.

Apache Foundation has released another version of log4j2 in order to fix a new CVE-2021-45046: Per our understanding we would not be vulnerable to CVE-2021-45046, but just to be safe this release updates to log4j2 2.16.0.

Application Changes

  • Updated log4j2 to version 2.16.0

Information model changes

  • No changes.

Version 1.4.8

Build: 1.4.8-664

Release date: 13.12.2021

Emergency release to fix the "Log4Shell" attack.

Everyone is recommended to update to this version.

Mitigation strategies for older release can be found in

Application Changes

  • Updated log4j2 to version 2.15.0

Information model changes

  • No changes.

Version 1.4.6

Build: 1.4.6-653

Release date: 28.05.2021

This is a bugfix and security release. The application is updated to use Prosys OPC UA SDK for Java version 4.5.6, see the release notes.

Application Changes

  • Uses Prosys OPC UA SDK for Java version 4.5.6.

Information model changes

  • No changes.

Version 1.4.4

Build: 1.4.4-648

Release date: 04.05.2021

This is a security release. Due to an implementation error, user authorization checks were not performed and all username & password combinations and user certificates were always granted access, if the respective authentication methods were enabled. Affected versions are 1.2.x, 1.3.x and 1.4.x (older than this release).

We recommend everyone to update to this version.

Note that while the error is critical, it does impact you only if user authorization played a role in the way you use the application. The application doesn’t have user specific data and most use cases of OPC UA typically use just Application Level Authentication with the Anonymous user authentication mode.

Application Changes

  • Security Fix: User authentication checks were not working.

Information model changes

  • No changes.

Version 1.4.2

Build: 1.4.2-642

Release date: 26.03.2021

This is a bugfix release. Due to SDK version updates, also some memory leak and security fixes are included and we recommend updating to this version.

The Ubuntu 18.04 issue mentioned in 1.4.0 notes is now fixed in this release

Application Changes

Information model changes

  • No changes.

Version 1.4.0

Build: 1.4.0-636

Release date: 03.02.2021

This is a new major release that includes new features, fixes and a new Docker based distribution option. The release includes security, memory leak and bug fixes. In addition the installers of the standard distribution have been updated.

The configuration of the OPC UA Server part is now in a file called uaServerSettings.xml (instead of serverSettings.xml). The application will migrate old configurations, with some limits:

  • Transport protocol opc.https is disabled by default even if it was enabled in the old configuration. It is now disabled by default in new configurations, see the warning on about HTTPS before enabling it. We won’t actively test opc.https.

  • Security policies are migrated to be used (in general) if they were enabled to (any) MessageSecurityMode (no changes, if all configurations were made with the UI in the old version).

The portable edition now requires Java 11. In addition, the runtime no longer needs to neither shall have JavaFX, since that is provided by the application itself. Obtaining Java is outside the scope of the instructions, but e.g. should work. Note that the configuration UI only works on "mainstream OSes", such as normal Windows, Linux, macOS, but otherwise the application itself should run where Java 11 can run.
The application now requires a 64 bit machine. Running non-UI parts using the portable installation may work on 32 bit machines, but is not tested nor officially supported.
The minimum requirement for the Linux installer is Ubuntu 20.04. However, we hope that a future version will work in 18.04. This version has a known issue, which prevents it working out-of-the-box there. However, there is a workaround: Right after running the installer you can copy prosys-opc-ua-modbus-server-service.service from /etc/systemd/system to /usr/lib/systemd/system before starting the application for the first time after installation. Alternatively, you can use the portable edition on Ubuntu 18.04. Other Linux distributions than Ubuntu may work, but have not been tested, use the portable edition if the standard installation won’t work on your distro.

Application Changes

  • Uses Prosys OPC UA SDK for Java version 4.5.2:

  • New: Docker Image as distribution option.

  • New: Added support for reverse connections.

  • Fixed/Changed: Transport protocol opc.https disabled by default.

  • Fixed: UI could freeze if "Open Certificate in OS viewer" option was used on Linux.

  • Fixed: Application’s own Certificates can now be opened in the Certificates view.

  • Fixed: Selecting serial port based Modbus Device did freeze the application if run in portable mode.

  • Changed: Linux installer is now a .sh script (like our Browser/SimulationServer/Monitor have).

  • Changed: MessageSecurityMode None is no longer enabled by default (unless migrated from old configuration file).

  • Changed: SecurityPolicies Basic128Rsa15 and Basic256 are no longer enabled by default (unless migrated from old configuration file). They are considered to be non-secure by OPC UA 1.04, but can be enabled in the Endpoints view if needed. Not recommended for public networks.

  • Changed: Removed portable tar.gz option, based on our latest tests the .zip option uncompressed retaining exec bits on start scripts on Linux, which was the only reason keeping tar.gz. If for some reasons it won’t work on your distro, let us know, but you can chmod the exec bits as a workaround.

Information model changes

  • No direct changes, but the DI dependency model was updated to 1.02 version.

Version 1.3.4

This is a new security update to Prosys OPC UA Modbus Server.

It fixes the known security issue called Manger’s Attack by replacing the Bouncy Castle library with version 1.64. Contains no other changes.

Version 1.3.2

This is a new minor release. There are a couple of important bugfixes.

Application Changes

  • Fixed: Possible deadlock / memory leak scenario related to creating monitored items.

  • Fixed: Importing of variables from CSV file was not working properly in some cases when using "Ignore all new variables conflicting with existing variables" overwrite policy.

Information model changes

  • No changes

Version 1.3.0

This is a new major release that improves different aspects of the data transfer functionality between the Prosys OPC UA Modbus Server and Modbus devices. Support for different user needs is expanded by enabling Modbus serial port communication and an expanded data model that incorporates new data types and the possibility to define array values.

Application Changes

  • New: Support for Modbus serial protocol (ASCII and RTU)

  • New: Possibility to import and export device-specific variable configurations from/to a CSV file through the Configuration Mode UI

  • New: Option to define array variables

  • New: Extended support for different IEC 61131-3 data types. New data types include 8 bit and 64 bit integers (SINT, USINT, LINT, ULINT), 64 bit floating-point decimal (LREAL) and character strings encoded in ISO 8859-1 and UTF-16 (CHAR, WCHAR)

  • New: Option to use BIT data type for Input and Holding Registers.

  • New: New right-click menu commands for performing actions on Modbus devices, tables and variables in the Configuration Mode UI

  • New: Device-wide setting for the default byte transfer order of new variables (swap bytes and swap words)

  • Improved: Major improvements in performance of accessing data from Modbus devices

  • Improved: Improved support for features of the OPC UA MonitoredItem Service Set and Read Service in accessing Modbus data

  • Improved: SourceTimestamp of values in the OPC UA address space now reflects the time when the value was retrieved from the Modbus device

  • Improved: Added support for IPv6 addresses for OPC UA Endpoints

  • Improved: Extended the support for shortcut keys for editing variables in the Modbus Devices tab of the Configuration Mode UI. Shortcuts now include: select all (Ctrl + A), create new (Ctrl + N), edit (Ctrl + E) and delete (DELETE)

  • Improved: Added tooltips for all buttons

Information model changes

  • New: Added new Enumeration values to ModbusDataType: SINT, USINT, LINT, ULINT, LREAL, CHAR (ISO 8859-1) and WCHAR (UTF-16)

  • New: Added two new Properties (ArrayLength and BitOffset) to ModbusVariableConfigurationType

  • New: Added ModbusSerialDeviceType and ModbusTCPDeviceType

  • Changed: ModbusDeviceType to an abstract type

  • Changed: The DataType of the components of ModbusDeviceType from BaseDataVariableType to PropertyType

  • Changed: Added three new Properties to ModbusDeviceType: IsInternal, DefaultSwapBytes and DefaultSwapWords

  • Renamed: ModbusBlockType to ModbusTableType and its subtypes ModbusDigitalInputBlockType, ModbusDigitalOutputBlockType, ModbusHoldingRegisterBlockType and ModbusInputRgisterBlockType from XXXBlockType to XXXsTableType

  • Renamed: SwapByte and SwapWord Properties of the ModbusVariableConfigurationType to SwapBytes and SwapWords, respectively

  • Renamed: ModbusProtocol to ModbusProtocolVariant

  • Removed: ModbusMasterDeviceType and ModbusSlaveDeviceType

Version 1.2.2

This is a new minor version that mainly improves the data transfer functionality between the Prosys OPC UA Modbus Server and Modbus devices.

Application Changes

  • Improved: Major improvements in performance and functionality of the updating of variables with Modbus reads

  • Improved: Minor tweaks in the Configuration Mode user interface

  • Improved: User manual describes the logging functionality in more detail

Information model changes

  • New: Descriptions for all Nodes defined in the information model

  • Renamed: ModbusMasterType to ModbusMasterDeviceType

  • Renamed: ModbusSlaveType to ModbusSlaveDeviceType

Version 1.2.0

This is a new major release. The application has been redesigned internally, which enables it to be run in headless environments (without the user interface that requires Java FX). There is also a new installation option, called Portable Installation which enables the installation to any environment that has Java SE 8 preinstalled.

Application Changes

  • New: Support for linear scaling of register values

  • New: Show current Value in the variable configuration page

  • New: UnitID can be configured for Modbus TCP also (previously it was only available for Modbus RTU over TCP devices)

  • New: Description text can be comfigured for devices and variables

  • Fixed: Entering application license does not require application restart

  • Changed: NamespaceURI of the Device instances (does not contain server hostname anymore)

  • Changed: Configuration User Interface has been reworked

  • Improved: User manual has been reworked and extended

  • Improved: Optimized updating of variables with Modbus reads for multiple addresses whenever possible

  • Changed: Basic256Sha256 Security Policy is now enabled by default

Information model changes

  • New: Enumeration values to ModbusDataType: UINT and UDINT

  • Removed: ModbusIoType

  • Renamed: ModbusRegisterConfigurationType to ModbusVariableConfigurationType

  • Renamed: HasModbusRegisterConfiguration to HasModbusVariableConfiguration (ReferenceType)

  • Renamed: ModbusIoBlockType to ModbusBlockType

Version 1.1.4

This is a new minor release that enables the use of unsigned data types as well as improvements in the configuration UI.

  • New: Support for unsigned integers

  • Fixed: Removed unnecessary creation of temporary log-file at startup

  • Fixed: Changed server status messages to be more descriptive

  • Improvement: Linux installer creates settings folder already during install

  • Improvement: Default tag names are updated if the register address is changed

Version 1.1.2

This is a new minor version that improves several details of Modbus and OPC UA connectivity. This version has also been Certified for Compliance by the OPC Foundation.

  • New: User Authentication enabled

  • New: New configuration parameters for MaxSessionCount, MaxSessionTimeout & MaxSubscriptionCount of OPC UA Server

  • Fixed: Handling of communication errors, changing quality of variables properly to Bad_NoCommunication and improving reconnecting

  • Fixed: Keep initial values as bad for variables when the server starts until it succeeds in reading them

  • Fixed: Define input variables as read-only (AccessLevel=[CurrentRead])

  • Fixed: Use ValueRank.Scalar for variables

  • Fixed: Provide Bad_NoCommunication, if the client tries to write to a device to which we don’t have a connection

  • Fixed: CurrentTime can be subscribed to (and keeps updating)

  • Changed: Modbus timeout from 3s to 1s

  • Changed: Validate ApplicationURI of client certificates by default (configurable with the xml parameter 'validateApplicationUriInCertificate')

  • Changed: Use TransactionID in all Modbus message requests to match responses in case of communication disruptions

  • Changed: Set default EURange to analog variables

Version 1.1.0

The 1.1.0 version includes a major update of the application as a Modbus slave functionality has been added.

The configuration of Modbus tags has changed remarkably. If you are upgrading from an earlier version, your tag configuration will be removed and the tags must be reconfigured after upgrading to the new version.
  • New: Modbus slave functionality

  • New: Enabling/disabling of a configured master/slave device

  • Changed: Tag configuration structure, enabling more flexible Modbus tag configurations

    • Each modbus tag is now read separately, enabling sparse modbus adrressing

    • Each tag is modeled as OPC UA DiscreteItemType (bit variables) or AnalogItemType (integer and real variables)

    • Each tag has the configuration params defined in an object of ModbusRegisterConfigurationType that is referred with a HasModbusConfiguration reference

Version 1.0.2

The 1.0.2 version includes bugfixes and minor updates to the GUI.

  • New: Support for Systemd in Linux

  • New: Demo and evaluation countdown timer on status tab

  • Fixed: Problem in .deb package installation

  • Fixed: Renaming problem when renaming tags with DINT size

  • Changed: Info texts of modbus device configurations

Version 1.0.0

First release of the application.