PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889

Issue:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889

NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.

Our testing shows this not vulnerable to the string interpolation issue highlighted by CVE-2022-42889.

If a customer fells they must upgrade because of CVE-2022-42889 have the customer follow the instruction below.

****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp

Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3

Environment:
All supported Windows OS
All supported Linux OS

Cause:
Vulnerability in Apache

Solution:

We recommend uninstalling PowerChute Network Shutdown version 4.x and installing version 5.x, which is available at this link. https://www.se.com/us/en/product-range/61933-powerchute-network-shutdown/104358239448-powerchute-subscriptions/#overview

NOTE: to correct PowerChute version 4.x

1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.

On Windows
2. Uncompress the folder

3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1

4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar

5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar


6 Restart the PowerChute service. The command is net start pcns1

On Linux

1. Log in as a root user

2. Uncompress the folder Linux-Replacement-files.zip

3. Stop the PowerChute service. the command is systemctl stop PowerChute

4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar

5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar


6 Restart the PowerChute service. The command is systemctl start PowerChute

Publicerad för: Schneider Electric Sverige