Issue:
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
Products:
PowerChute Network Shutdown
Environment:
All Support OS
Cause:
- Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”
- Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:
- 512-bit – An individual user can break this.
- 768-bit – University level resources required.
- 1024-bit – Nation-State level resources required.
PowerChute Network Shutdown
V2.2.x – These versions support DHE_EXPORT cipher suites and are vulnerable.
V3.0.x—DHE_EXPORT cipher suites are blocked, but they use a Diffie-Hellman prime of less than 2048 bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024 bits. Java 7 may use 768 bits or higher, depending on the version.
V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
Solution:
PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v5.x, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.
- V2.2.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer – v2.2.x will automatically detect and use Java 8.
- V3.0.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer and select the Public JRE option.
- V4.0.0 has Java 8 bundled as a private JRE.
Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):
- Stop the PowerChute service.
- In the folder where Java is installed open “lib\security\java.security” using a text editor.
- Scroll to the end of the file and locate the line “jdk.tls.disabledAlgorithms=SSLv3” – set this to “jdk.tls.disabledAlgorithms=SSLv3,DH”
- Save the file and re-start the PowerChute service.
Adding “DH”, as outlined in step 3 above, removes support for DHE cipher suites and forces connections to PowerChute using ECDHE cipher suites. Elliptic-Curve Diffie-Hellman (ECDH) key exchange is not vulnerable to the Logjam attack.
Released for: Schneider Electric Vietnam


Need help?
Start here!
Find answers now. Search for a solution on your own, or connect with one of our experts.
Contact Support
Reach out to our customer care team to receive more information, technical support, assistance with complaints and more.
Where to buy?
Easily find the nearest Schneider Electric distributor in your location.
Search FAQs
Search topic-related frequently asked questions to find answers you need.
Contact Sales
Start your sales inquiry online and an expert will connect with you.