Discover our Clipsal Smart Home packages as seen on the Block

in location

OR

I'm looking for

  • Wholesalers
    • Uncheck All Check All
  • EXPERTISE
    • Expand
    • Expand
    • Expand
    • Uncheck All Check All
  • Switchboard Manufacturers
    • Uncheck All Check All
OR

The best way to see what Clipsal electric products can do for your home is seeing them in action at a Clipsal Display Centre.

Product stock may vary according to location. If you're after a specific product range, please check with your chosen location before visiting.

10 Results
    Load More Load Complete
    Change Location

    APC Security Advisory - Java Runtime Environment Unsigned Applet Privilege Escalation

    Issue:
    Java Runtime Environment Unsigned Applet Privilege Escalation

    Product Line/s:
    PowerChute Business Edition 7.x, 8.x, and 9.x  for Windows, Linux, and Solaris
    PowerChute Network Shutdown 2.2.x and later

    Environment:
    All supported OS

    Cause:
    A problem exists with multiple versions of Oracle's Java Runtime Environment (JRE) that may allow an unsigned applet to escalate its privileges.


    Solution:

    PowerChute Business Edition and PowerChute Network Shutdown may install a vulnerable JRE. However, a successful exploit would require an unsigned Java applet to execute in the context of the APC installed JRE. This would require an association of the APC installed JRE with the local system's web browser or its inclusion in the standard Java execution path.

    In some circumstances PowerChute Network Shutdown utilizes a system installed JRE. All system installed JREs must be updated to a patched version by the system administrator since it is more likely for them to be associated with the local system's web browser or included in the standard Java execution path.

    Severity Risk
    Low for a vulnerable APC installed JRE
    Critical for a vulnerable system installed JRE


    Mitigating Factors
    PowerChute Business Edition and PowerChute Network Shutdown installers do not associate the packaged JRE with the local systems web browser and does not include the packaged JRE in the standard java execution path. Therefore, it is very unlikely for an unsigned Java applet to execute in the context of the APC installed JRE unless the system administrator manually configures the system to do so. An APC installed JRE is being utilized by PowerChute Business Edition or PowerChute Network Shutdown when a jre directory is in the main product installation directory.

    Recommendations and workarounds

    For PowerChute Business Edition customers:

    Download and apply the JRE configuration tool available on APC's website at http://www.apc.com/tools/download to all machine running the PCBE agent or server. The JRE versions supported with each release of PCBE are posted on the APC Web site. If your PCBE release is not supported, upgrade it to a supported release before applying the tool.

    For PowerChute Network Shutdown customers:

    For APC installed JREs:
    1. Ensure that APC installed JREs are not associated with the local system’s web browser and not included in the standard Java execution path.

    The JRE is copied to the following directory and its path is specified in the registry or start up script as follows:

    Windows
    Installed dir::C:\Program Files\java
    Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
    Windows x64:
    Installed dir::C:\Program Files (x86)\java
    Registry:data path in my computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCNS(n)\Parameters\Application NOTE: n = the instance number. The default instance number is 1 e.g. PCNS1
    Linux:
    Installed dir::/usr/local/bin/jvm
    startup script:the Java path at 9th line of /powerchute.sh
    Solaris:
    Installed dir::/usr/bin/jvm
    startup script:Java path right after nohup at 9th line of /powerchute.sh.

    For system installed JREs being used by PCNS
    1. Stop the PowerChute Network Shutdown Service - Daemon
    2. Update all vulnerable system installed JREs to a patched version according to Oracles recommendations. If updating from version 6 to version 7 install version 7 then uninstall version 6.
    3. Run the PowerChute Network Shutdown installer as an upgrade. PCNS will now use the updated Java.

    If it’s necessary to remove PCNS installed JREs, follow the steps below:
    1. Uninstall PowerChute Network Shutdown
    2. Install JREs to a patched version according to Oracles recommendations.
    3. Reinstall PowerChute Network Shutdown


    Exploitation and Public Announcements
    APC is not aware of any malicious use of the vulnerabilities described in this advisory.

    Status of this notice: ACTIVE

    THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

    IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

    Distribution
    This bulletin and any future updates will be posted to APC's website.


    Copyright
    This notice is Copyright 2007 by American Power Conversion Corporation. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
     

    Didn’t find what you were looking for?

    Try Searching Again View Our Categories

    Need further assistance?

    Our Customer Care department provides total customer service solutions for our residential, industrial and commercial applications.

    Get Assistance