APC - PowerChute Business Edition

[OS3DrNick]

Not visible anything on their site yet:

C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib>dir | findstr log4j

10-12-2020 18:42 264,058 log4j-api-2.11.1.jar
10-12-2020 18:42 1,607,936 log4j-core-2.11.1.jar
10-12-2020 18:42 23,242 log4j-slf4j-impl-2.11.1.jar

PowerChute Business Edition - 10.0.2.301

[maertsen]

@OS3DrNick we would very much appreciate a PR. Let me know if that causes issues (time or otherwise).

[OS3DrNick]

i hope its oke: #53

[martijngoorman]

Also PowerChute Network Shutdown 4.2.0 is vulnerable. Uses 2.2
C:\Program Files\APC\PowerChute\ {group name} \lib

• log4j-api-2.2.jar
• log4j-core-2.2.jar

[OS3DrNick]

if everything's goes correctly PR is updated with new info.

[maertsen]

thanks both!

[BassieZ]

https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2021-347-01
At least they are aware. No fix available yet

[MoweME]

On December 17, Apache updated the previously Low Severity CVE-2021-45046, to Critical
severity as the vulnerability now includes the potential for information leakage or remote code
execution, in addition to the previously known risk of denial of service. Apache released Log4j
versions 2.16.0 (for Java 8 or later) and 2.12.2 (for Java 7) to fix both CVE-2021-44228 and
CVE-2021-45046.
Source: https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2021-347-01

About a week too late to notice the seriousness of the situation.
Is that how they want to talk their way out of this? APC could have thought of it itself....
Anyway, at least there will be an update soon...

[SequoiaDu]

Mitigation has been published for PCBE and network shutdown: https://www.se.com/ww/en/download/document/SESB-2021-347-01/