Issue:
PowerChute Business Edition and PowerChute Network Shutdown are both affected by the recent Log4Shell vulnerabilities CVE-2021-44228 and CVE-2021-45046.
Products:
PowerChute Network Shutdown v4.2 and above.
PowerChute Business Edition v9.5 and above.
Environment:
All supported OS for the versions of PowerChute listed above
Cause:
PowerChute Business Edition and PowerChute Network Shutdown contain a vulnerable version of the log4j-core jar file. For more information, please refer to this security bulletin.
Solution:
For PowerChute Business Edition, we have released Agent 10.0.5, which includes log4j 2.17. We recommend upgrading to Agent 10.0.5. The 10.0.5 Agent can be downloaded from https://www.se.com/ww/en/product-range/61932-powerchute-business-edition/ You should download SFPCBE1005
If you are running an older version of PowerChute Business Edition on Windows or Linux, please download the attached PCBE_Scripts file that contains scripts to automate the mitigation of the log4jshell vulnerabilities.
For PowerChute Network Shutdown version 4.2 please review Schneider Electric FAQ PowerChute Network Shutdown version 4.2 Scripts to Mitigate Log4Shell Vulnerabilities – CVE-2021-44228, CVE-2021-45046
For PowerChute Network Shutdown version 4.3, 4.4, and 4.4.1 please review Schneider Electric FAQ PowerChute Network Shutdown Scripts to Mitigate Multiple CVEs Including Log4Shell Vulnerabilities
