Issue:
Java Runtime Environment Unsigned Applet Privilege Escalation
Product Line/s:
PowerChute Business Edition 7.x, 8.x, and 9.x for Windows, Linux, and Solaris
PowerChute Network Shutdown 2.2.x and later
Environment:
All supported OS
Cause:
A problem exists with multiple versions of Oracle's Java Runtime Environment (JRE) that may allow an unsigned applet to escalate its privileges.
Solution:
PowerChute Business Edition and PowerChute Network Shutdown may install a vulnerable JRE. However, a successful exploit would require an unsigned Java applet to execute in the context of the APC installed JRE. This would require an association of the APC installed JRE with the local system's web browser or its inclusion in the standard Java execution path.
In some circumstances PowerChute Network Shutdown utilizes a system installed JRE. All system installed JREs must be updated to a patched version by the system administrator since it is more likely for them to be associated with the local system's web browser or included in the standard Java execution path.
Severity Risk
Low for a vulnerable APC installed JRE
Critical for a vulnerable system installed JRE
Mitigating Factors
PowerChute Business Edition and PowerChute Network Shutdown installers do not associate the packaged JRE with the local systems web browser and does not include the packaged JRE in the standard java execution path. Therefore, it is very unlikely for an unsigned Java applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. An APC installed JRE is being utilized by PowerChute Business Edition or PowerChute Network Shutdown when a jre directory is in the main product installation directory.
Recommendations and workarounds
For PowerChute Business Edition customers:
Download and apply the JRE configuration tool available on APC's website at http://www.apc.com/tools/download to all machine running the PCBE agent or server. The JRE versions supported with each release of PCBE are posted on the APC Web site. If your PCBE release is not supported, upgrade it to a supported release before applying the tool.
For PowerChute Network Shutdown customers:
For APC installed JREs:
1. Ensure that APC installed JREs are not associated with the local system’s web browser and not included in the standard Java execution path.
The JRE is copied to the following directory and its path is specified in the registry or start up script as follows:
Windows
Installed dir::C:\Program Files\java
Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
Windows x64:
Installed dir::C:\Program Files (x86)\java
Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
Linux:
Installed dir::/usr/local/bin/jvm
startup script:the Java path at 9th line of <PCNS installed dir>/powerchute.sh
Solaris:
Installed dir::/usr/bin/jvm
startup script:Java path right after nohup at 9th line of <PCNS installed dir>/powerchute.sh.
For system installed JREs being used by PCNS
1. Stop the PowerChute Network Shutdown Service - Daemon
2. Update all vulnerable system installed JREs to a patched version according to Oracles recommendations. If updating from version 6 to version 7 install version 7 then uninstall version 6.
3. Run the PowerChute Network Shutdown installer as an upgrade. PCNS will now use the updated Java.
If it’s necessary to remove PCNS installed JREs, follow the steps below:
1. Uninstall PowerChute Network Shutdown
2. Install JREs to a patched version according to Oracles recommendations.
3. Reinstall PowerChute Network Shutdown
Exploitation and Public Announcements
APC is not aware of any malicious use of the vulnerabilities described in this advisory.
Status of this notice: ACTIVE
THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution
This bulletin and any future updates will be posted to APC's website.
Copyright
This notice is Copyright 2007 by American Power Conversion Corporation. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
Java Runtime Environment Unsigned Applet Privilege Escalation
Product Line/s:
PowerChute Business Edition 7.x, 8.x, and 9.x for Windows, Linux, and Solaris
PowerChute Network Shutdown 2.2.x and later
Environment:
All supported OS
Cause:
A problem exists with multiple versions of Oracle's Java Runtime Environment (JRE) that may allow an unsigned applet to escalate its privileges.
Solution:
PowerChute Business Edition and PowerChute Network Shutdown may install a vulnerable JRE. However, a successful exploit would require an unsigned Java applet to execute in the context of the APC installed JRE. This would require an association of the APC installed JRE with the local system's web browser or its inclusion in the standard Java execution path.
In some circumstances PowerChute Network Shutdown utilizes a system installed JRE. All system installed JREs must be updated to a patched version by the system administrator since it is more likely for them to be associated with the local system's web browser or included in the standard Java execution path.
Severity Risk
Low for a vulnerable APC installed JRE
Critical for a vulnerable system installed JRE
Mitigating Factors
PowerChute Business Edition and PowerChute Network Shutdown installers do not associate the packaged JRE with the local systems web browser and does not include the packaged JRE in the standard java execution path. Therefore, it is very unlikely for an unsigned Java applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. An APC installed JRE is being utilized by PowerChute Business Edition or PowerChute Network Shutdown when a jre directory is in the main product installation directory.
Recommendations and workarounds
For PowerChute Business Edition customers:
Download and apply the JRE configuration tool available on APC's website at http://www.apc.com/tools/download to all machine running the PCBE agent or server. The JRE versions supported with each release of PCBE are posted on the APC Web site. If your PCBE release is not supported, upgrade it to a supported release before applying the tool.
For PowerChute Network Shutdown customers:
For APC installed JREs:
1. Ensure that APC installed JREs are not associated with the local system’s web browser and not included in the standard Java execution path.
The JRE is copied to the following directory and its path is specified in the registry or start up script as follows:
Windows
Installed dir::C:\Program Files\java
Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
Windows x64:
Installed dir::C:\Program Files (x86)\java
Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
Linux:
Installed dir::/usr/local/bin/jvm
startup script:the Java path at 9th line of <PCNS installed dir>/powerchute.sh
Solaris:
Installed dir::/usr/bin/jvm
startup script:Java path right after nohup at 9th line of <PCNS installed dir>/powerchute.sh.
For system installed JREs being used by PCNS
1. Stop the PowerChute Network Shutdown Service - Daemon
2. Update all vulnerable system installed JREs to a patched version according to Oracles recommendations. If updating from version 6 to version 7 install version 7 then uninstall version 6.
3. Run the PowerChute Network Shutdown installer as an upgrade. PCNS will now use the updated Java.
If it’s necessary to remove PCNS installed JREs, follow the steps below:
1. Uninstall PowerChute Network Shutdown
2. Install JREs to a patched version according to Oracles recommendations.
3. Reinstall PowerChute Network Shutdown
Exploitation and Public Announcements
APC is not aware of any malicious use of the vulnerabilities described in this advisory.
Status of this notice: ACTIVE
THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution
This bulletin and any future updates will be posted to APC's website.
Copyright
This notice is Copyright 2007 by American Power Conversion Corporation. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
