Issue:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889
NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.
****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3
Environment:
All supported Windows OS
All supported Linux OS
Cause:
Vulnerability in Apache
Solution:
The information below can be shared with customers when they report either CVE as needed.
1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.
On Windows
2. Uncompress the folder
3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1
4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is net start pcns1
On Linux
1. Log in as a root user
2. Uncompress the folder Linux-Replacement-files.zip
3. Stop the PowerChute service. the command is systemctl stop PowerChute
4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is systemctl start PowerChute
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3 vulnerable to CVE-2022-33980 & CVE-2022-42889
NOTE: PCNS only uses StringEscapeUtils.escapeHtml4(String) from the commons-text library. PCNS use this to make some user-provided input (outlet group names, ssh action titles, etc.) safe for display in HTML.
Our testing shows this not vulnerable to the string interpolation issue highlighted by CVE-2022-42889.
If a customer fells they must upgrade because of CVE-2022-42889 have the customer follow the instruction below.****This FAQ is internal because the CVEs have not been posted to the Cyber Security Portal.
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp
Product:
PowerChute Network Shutdown 4.4.1, 4.4.2 & 4.4.3
Environment:
All supported Windows OS
All supported Linux OS
Cause:
Vulnerability in Apache
Solution:
The information below can be shared with customers when they report either CVE as needed.
1. Download the folder Win-Replacement-files.zip or Linux-Replacement-files.zip that are attached and send the zip and instructions below to the customer.
On Windows
2. Uncompress the folder
3. Open a command prompt as an administrator and stop the PowerChute service. the command is net stop pcns1
4. Go to C:\Program Files\APC\PowerChute\group1\lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Win-Replacement-files folder to C:\Program Files\APC\PowerChute\group1\lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is net start pcns1
On Linux
1. Log in as a root user
2. Uncompress the folder Linux-Replacement-files.zip
3. Stop the PowerChute service. the command is systemctl stop PowerChute
4. Go to /opt/APC/PowerChute/group1/lib and delete:
commons-codec-1.12.jar
commons-configuration2-2.4.jar
commons-io-2.7.jar
commons-lang3-3.8.1.jar
commons-text-1.6.jar
5 Copy the contents of the Linux-Replacement-files folder to /opt/APC/PowerChute/group1/lib. This step replaces the removed files and correct the vulnerability:
commons-codec-1.15.jar
commons-configuration2-2.8.0.jar
commons-io-2.11.0.jar
commons-lang3-3.13.0.jar
commons-text-1.10.0.jar
6 Restart the PowerChute service. The command is systemctl start PowerChute
Released for:Schneider Electric South Africa
