Revvity Signals is aware of the recently announced Java Spring Framework vulnerabilities and in particular one referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements. Revvity Signals is assessing the impact to our software applications, and will post updates here as new information becomes available.
Following is the latest information on each of our product lines:
ChemDraw/ChemOffice: Not affected/doesn't use this framework
Signals Notebook: Not affected/doesn't use this framework
E-Notebook/ChemBioOffice Enterprise: Not affected/doesn't use this framework
VitroVivo: The spring framework is being used by our VitroVivo metastore REST Web service. However we are not using the Spring Cloud which is the piece that has been identified to have a security breach.
Signals Inventa/Signals Lead Discovery:
- SLD 2.4 and earlier versions: have an API build on Spring Boot. It is recommended that any customer on these older versions upgrade to the current version to remediate the problem.
- SLD2.5, Signals Inventa 3.0, Signals Inventa 3.1: Not affected/doesn't use this framework
Lead Discovery and Lead Discovery Premium: Not affected/doesn't use this framework
Signals Line Listing Review: Not affected/doesn't use this framework
Tibco Spotfire: Spring Framework Vulnerability Update | TIBCO Software