Issue:
PowerChute Network Shutdown version 4.2 is affected by Log4Shell vulnerabilities CVE-2021-44228 and CVE-2021-45046.


Products:
PowerChute Network Shutdown v4.2

For PowerChute Network Shutdown versions 4.3, 4.4, 4.4.1, see Schneider Electric's, FAQ PowerChute Network Shutdown Scripts to Mitigate Multiple CVEs Including Log4Shell Vulnerabilities

Environment:
All supported OS for the versions of PowerChute Network Shutdown version 4.2

Cause:
PowerChute Network Shutdown contains a vulnerable version of the log4j-core jar file. For more information, please refer to this security bulletin.

Solution:
Download the attached 4.2.0.1 scripts that remove the vulnerable log4j2

On Windows OS, to run the PCNS patch, uncompress the zip, open a command prompt as an administrator, cd to the folder where the uncompressed files reside, and run the command run_patch.cmd. The patch will remove the old log4j files and install log4j 2.17. The patch will also update the pcns.jar file.
PowerChute Network, Shutdown Windows scripts, are designed for all supported versions of Windows OS.

On Linux systems, uncompress the zip file. Then, if uncompressed on a Windows system, copy the log4jPatch.sh and the files folder to the Linux system. Once the files have been copied, open a terminal window and cd to the directory where the files have been copied. Run the command sudo chmod 775 log4jPatch.sh to make the file executable. Then run the command sudo ./log4jPatch.sh to run the patch. The patch will stop the PowerChute service, copy a new pcns.jar file and a new log4j 2.17 file to the appropriate directories, and then restart PowerChute.

PowerChute Network's shutdown Linux scripts are designed for all supported versions of Linux, ESXi, Solaris, AIX, HPUX, and MacOS.

發佈於: 施耐德電機Taiwan