Prosys OPC UA Modbus Server

Build: 1.4.22-31

Release date: 22.02.23

This is a bugfix release that also includes security fixes.

See our blog (OPC UA Pwn2Own 2023 Resource Exhaustion Exploit) for more information about the security issues. We recommend everyone to update to this version.

Build: 1.4.20-16

Release date: 13.12.22

This is a bugfix release. Due to SDK version updates, also some memory leak fixes are included and we recommend updating to this version.

In addition, this release contains security-related improvements for user configuration.

Build: 1.4.18-5

Release date: 12.05.22

This is a hotfix release of Prosys OPC UA Modbus Server. It fixes an issue with older 1.4.x releases where the server endpoint configuration could not be saved.

Also please note that in 1.4.16 there was an important security fix, thus everyone is recommended to update to this version instead (even though there isn’t a security reason to do so, IF you already updated to 1.4.16).

Build: 1.4.16-686

Release date: 11.05.22

This is a security release of Prosys OPC UA Modbus Server. Everyone is recommended to update to this version.

The security update (via updated SDK version) fixes a scenario where an attacker could cause the server to starve an internal thread pool, causing a Denial of Service (DoS). The exploit enables an unauthorized attacker to block the server applications so that they will no longer be able to serve client applications. Thus, we recommend everyone to update to this version. For more details see Pwn2Own resource exhaustion exploit.

Build: 1.4.14-683

Release date: 21.03.22

This is a hotfix release of Prosys OPC UA Modbus Server. It fixes an issue with the 1.4.12 release, where some of the tables in the configuration views could not be opened or were empty.

This version also includes latest log4j2 version 2.17.2. Though it should be noted that this is a normal update of the library, i.e. not a security-related one.

Build: 1.4.12-677

Release date: 17.02.22

This version fixes bugs, memory and security issues.

The application now uses JavaFX version 17.0.2, which fixes some memory leaks.

This version also updates used log4j2 from version 2.16.0 to 2.17.1. See https://logging.apache.org/log4j/2.x/security.html for more information. There are 2 new CVEs after 2.16.0. However, as far as we understand in practice they have no impact per se, even if technically we are affected by one of them. Regardless, we do recommend everyone to update to this version. For the CVE-2021-45105, the default logging configuration does not include MDC in the pattern, thus we should not be affected.

For the CVE-2021-44832, per apache’s page: "(previous versions) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file". So the filesystem would have to be compromised for this to happen. In general our applications do not expect a hostile (local) environment. Typically this kind of vulnerability could be used for a privilege escalation attack, but Modbus Server for better or worse requires admin priviledges to run. Thus the created configuration files at the first startup are admin-owned, thus there is nothing to escalate to, the attacker could just do already everything they could do via Modbus Server in a more complicated way. Thus, this CVE in practice has no impact, but we still do recommend to update just in case. NOTE! for the "portable install" and docker distributions, there could be more impact if the user running the application differs from the one unzipping the distribution and/or if that user has higher privileges on the system.

Build: 1.4.10-668

Release date: 16.12.2021

This is a security release of Prosys OPC UA Modbus Server. Everyone is recommended to update to this version.

Apache Foundation has released another version of log4j2 in order to fix a new CVE-2021-45046: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046. Per our understanding we would not be vulnerable to CVE-2021-45046, but just to be safe this release updates to log4j2 2.16.0.

Build: 1.4.8-664

Release date: 13.12.2021

Emergency release to fix the https://nvd.nist.gov/vuln/detail/CVE-2021-44228 "Log4Shell" attack.

Everyone is recommended to update to this version.

Mitigation strategies for older release can be found in https://logging.apache.org/log4j/2.x/security.html.

Build: 1.4.6-653

Release date: 28.05.2021

This is a bugfix and security release. The application is updated to use Prosys OPC UA SDK for Java version 4.5.6, see the release notes.

Build: 1.4.4-648

Release date: 04.05.2021

This is a security release. Due to an implementation error, user authorization checks were not performed and all username & password combinations and user certificates were always granted access, if the respective authentication methods were enabled. Affected versions are 1.2.x, 1.3.x and 1.4.x (older than this release).

We recommend everyone to update to this version.

Note that while the error is critical, it does impact you only if user authorization played a role in the way you use the application. The application doesn’t have user specific data and most use cases of OPC UA typically use just Application Level Authentication with the Anonymous user authentication mode.

Build: 1.4.2-642

Release date: 26.03.2021

This is a bugfix release. Due to SDK version updates, also some memory leak and security fixes are included and we recommend updating to this version.

Build: 1.4.0-636

Release date: 03.02.2021

This is a new major release that includes new features, fixes and a new Docker based distribution option. The release includes security, memory leak and bug fixes. In addition the installers of the standard distribution have been updated.

The configuration of the OPC UA Server part is now in a file called uaServerSettings.xml (instead of serverSettings.xml). The application will migrate old configurations, with some limits:

This is a new security update to Prosys OPC UA Modbus Server.

It fixes the known security issue called Manger’s Attack by replacing the Bouncy Castle library with version 1.64. Contains no other changes.

This is a new minor release. There are a couple of important bugfixes.

This is a new major release that improves different aspects of the data transfer functionality between the Prosys OPC UA Modbus Server and Modbus devices. Support for different user needs is expanded by enabling Modbus serial port communication and an expanded data model that incorporates new data types and the possibility to define array values.

This is a new minor version that mainly improves the data transfer functionality between the Prosys OPC UA Modbus Server and Modbus devices.

This is a new major release. The application has been redesigned internally, which enables it to be run in headless environments (without the user interface that requires Java FX). There is also a new installation option, called Portable Installation which enables the installation to any environment that has Java SE 8 preinstalled.

This is a new minor release that enables the use of unsigned data types as well as improvements in the configuration UI.

This is a new minor version that improves several details of Modbus and OPC UA connectivity. This version has also been Certified for Compliance by the OPC Foundation.

The 1.1.0 version includes a major update of the application as a Modbus slave functionality has been added.

The 1.0.2 version includes bugfixes and minor updates to the GUI.

First release of the application.