Issue:
PowerChute Network Shutdown is affected by the recent Log4Shell vulnerabilities and vulnerabilities in other 3rd party libraries as listed below:
Log4J:
[CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
Jetty:
[CVE-2021-34428](https://nvd.nist.gov/vuln/detail/CVE-2021-34428)
[CVE-2021-28169](https://nvd.nist.gov/vuln/detail/CVE-2021-28169)
[CVE-2021-28165](https://nvd.nist.gov/vuln/detail/CVE-2021-28165)
[CVE-2020-27223](https://nvd.nist.gov/vuln/detail/CVE-2020-27223)
[CVE-2020-27218](https://nvd.nist.gov/vuln/detail/CVE-2020-27218)
[CVE-2020-27216](https://nvd.nist.gov/vuln/detail/CVE-2020-27216)
Spring Framework
[CVE-2020-5398](https://nvd.nist.gov/vuln/detail/CVE-2020-5398)
[CVE-2020-5421](https://nvd.nist.gov/vuln/detail/CVE-2020-5421)
Commons Compress:
[CVE-2021-36090](https://nvd.nist.gov/vuln/detail/CVE-2021-36090)
[CVE-2021-35517](https://nvd.nist.gov/vuln/detail/CVE-2021-35517)
[CVE-2021-35516](https://nvd.nist.gov/vuln/detail/CVE-2021-35516)
[CVE-2021-35515](https://nvd.nist.gov/vuln/detail/CVE-2021-35515)
[CVE-2019-12402](https://nvd.nist.gov/vuln/detail/CVE-2019-12402)
[CVE-2018-11771](https://nvd.nist.gov/vuln/detail/CVE-2018-11771)
For assistance with CVE-2022-33980 & CVE-2022-42889 see PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889
Products:
PowerChute Network Shutdown v4.3, v4.4, v4.4.1
For PowerChute Network Shutdown version 4.2, see Schneider Electric FAQ PowerChute Network Shutdown version 4.2 Scripts to Mitigate Log4Shell Vulnerabilities – CVE-2021-44228, CVE-2021-45046.
Environment:
All supported OS for the versions of PowerChute Network Shutdown are listed above.
Cause:
PowerChute Network Shutdown contains some vulnerable 3rd party libraries that are outdated. For more information, please refer to the NVD URLs of the respective CVEs.
Solution:
Uninstall PowerChute Network Shutdown version 4.x and install PowerChute Network Shutdown version 5.x.
Or download the relevant files for your product and follow the readme file instructions.
For PowerChute Network Shutdown version 4.3, download patch_4.3.1_en.zip
For PowerChute Network Shutdown version 4.4, download patch_4.4.0.3_en.zip
For PowerChute Network Shutdown version 4.4.1, download patch_4.4.2_en.zip
The files contain scripts that will remove the vulnerable 3rd party libraries and replace them with updated versions that address the CVEs listed above.
The zip files contain updated pcns.jar, jetty 9.4.43, commons-compress 1.21, and log4j 2.17.1 jar files.
On Windows OS:
- Extract the zip file contents.
- Open a command prompt as an administrator.
- Change directory to the folder where you extracted the files.
- Run the run_patch.cmd file.
- The script will remove the old 3rd party libraries and install newer versions that address the CVEs. The script will also update the pcns.jar file.
The PowerChute Network Shutdown Windows scripts are designed for all supported versions of Windows OS.
On Linux systems:
- Extract the zip file contents. If you extracted the zip file on a Windows system, copy the pcns_patch.sh and the files folder to the Linux system.
- Open a terminal prompt or connect to the Linux system via SSH and change the directory to the location of the extracted files.
- Run the command “sudo chmod +x pcns_patch.sh” to make the file executable.
- Run the command “sudo ./pcns_patch.sh” to apply the updates. The script will stop the PowerChute service, remove the old libraries, install the new library files to the appropriate directories, and restart the PowerChute service.
For the PowerChute Network Shutdown 4.4.1 virtual appliance, download the new PowerChute 4.4.2 VM
PowerChute virtual appliance is AlmaLinux based replacing CentOS 8.
NOTE: The PowerChute Network Shutdown Linux scripts are designed for all supported versions of Linux, Solaris, AIX, HP-UX, and Mac OS.
