{}

Our Brands

Impact-Company-Logo-English Black-01-177x54

Welcome to the Schneider Electric Website

Welcome to our website.

Search FAQs

PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889

Issue:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889

NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.

Our testing shows this not vulnerable to the string interpolation issue highlighted by CVE-2022-42889.

If a customer fells they must upgrade because of CVE-2022-42889 have the customer follow the instruction below.

****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3

Environment:
All supported Windows OS
All supported Linux OS

Cause:
Vulnerability in Apache

Solution:
The information below can be shared with customers when they report either CVE as needed.

1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.

On Windows
2. Uncompress the folder

3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1

4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar

5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar


6 Restart the PowerChute service. The command is net start pcns1

On Linux

1. Log in as a root user

2. Uncompress the folder Linux-Replacement-files.zip

3. Stop the PowerChute service. the command is systemctl stop PowerChute

4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar

5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar


6 Restart the PowerChute service. The command is systemctl start PowerChute

Schneider Electric New Zealand

Attachment(s)

Linux-Replacement-files.zipLinux-Replacement-files.zip [1.83 MB]
Win-Replacement-files.zipWin-Replacement-files.zip [1.83 MB]
Explore more
Range:
Users group

Discuss this topic with experts

Visit our Community for first-hand insights from experts and peers on this topic and more.
Explore more
Range: