Issue:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889
NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.
Our testing shows this not vulnerable to the string interpolation issue highlighted by CVE-2022-42889.
If a customer fells they must upgrade because of CVE-2022-42889 have the customer follow the instruction below.
****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3
Environment:
All supported Windows OS
All supported Linux OS
Cause:
Vulnerability in Apache
Solution:
We recommend uninstalling PowerChute Network Shutdown version 4.x and installing version 5.x, which is available at this link.
NOTE: to correct PowerChute version 4.x
1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.
On Windows
2. Uncompress the folder
3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1
4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is net start pcns1
On Linux
1. Log in as a root user
2. Uncompress the folder Linux-Replacement-files.zip
3. Stop the PowerChute service. the command is systemctl stop PowerChute
4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is systemctl start PowerChute
Released for: Schneider Electric Philippines
Issue:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889
NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.
Our testing shows this not vulnerable to the string interpolation issue highlighted by CVE-2022-42889.
If a customer fells they must upgrade because of CVE-2022-42889 have the customer follow the instruction below.
****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3
Environment:
All supported Windows OS
All supported Linux OS
Cause:
Vulnerability in Apache
Solution:
We recommend uninstalling PowerChute Network Shutdown version 4.x and installing version 5.x, which is available at this link.
NOTE: to correct PowerChute version 4.x
1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.
On Windows
2. Uncompress the folder
3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1
4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is net start pcns1
On Linux
1. Log in as a root user
2. Uncompress the folder Linux-Replacement-files.zip
3. Stop the PowerChute service. the command is systemctl stop PowerChute
4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is systemctl start PowerChute
Released for: Schneider Electric Philippines




Need help?
Start here!
Find answers now. Search for a solution on your own, or connect with one of our experts.
Contact Support
Reach out to our customer care team to receive more information, technical support, assistance with complaints and more.
Where to buy?
Easily find the nearest Schneider Electric distributor in your location.
Search FAQs
Search topic-related frequently asked questions to find answers you need.
Contact Sales
Start your sales inquiry online and an expert will connect with you.