Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

Close
Important Announcement: WELCOME to the new Schneider Electric Community! Community is now no longer part of Exchange, and is now rebranded under se.com. If you have any bookmarks and links saved, we request you to update them to ensure that you continue accessing our community from this new location. For any issues that you might encounter as part of this change, please reach out to SchneiderCommunity.Support@se.com, and the team will help to get your issues resolved.
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
82242members
349809posts

PowerChute Business - Serious Java Issue

APC UPS Data Center Backup Solutions Forum

Schneider Electric support forum for Data Center UPS, software and services including our APC offers designed to share knowledge, installation, configuration, and general product use.

Solved
jhvance_apc
Ensign
Ensign
0 Likes
2
167

PowerChute Business - Serious Java Issue

This was originally posted on APC forums on 4/19/2011


The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.

Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?

Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?

Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?


Accepted Solutions
BillP
Administrator Administrator
Administrator
0 Likes
0
167

Re: PowerChute Business - Serious Java Issue

This reply was originally posted by Angela on APC forums on 4/20/2011


hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.
This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125
Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?
We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.
Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?
We have many customers want the JRE version to be fixed.
Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?
We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.

See Answer In Context

2 Replies 2
jhvance_apc
Ensign
Ensign
0 Likes
0
167

Re: PowerChute Business - Serious Java Issue

This was originally posted on APC forums on 4/20/2011


Thanks for the response and clarifications. I also received a response this morning from the online APC rep who has been assisting me over the past week with resolving communications issues between my older SU1400NET UPS (now refurbished with a new battery) and one of my office computers running Windows Vista Ultimate. She provided links to both the JRE Configuration Tool ZIP file and the PDF instructions for its installation, and later today I'll tackle the re-installation of PCBE and the tool to update JRE and hopefully resolve this process completely.

However, I'll just point out that downloading the tool from the link she provided requires login to a registered user's "personal page" and it isn't presented in the list of freely available or purchasable software when a search is performed on the APC website's software/firmware downloads page -- whether by using its specific name ("JRE Configuration Tool" in quotes) or by selection of the generic PCBE drop-down option to get all available relevant downloads. The PCBE v9.01 installer (with the insecure Java version embedded) is presented by the latter approach in both software categories (free up to 5 or fewer nodes, purchasable up to 25), so I'd really suggest that the configuration tool receive a more prominent listing in the group of freely available software to help those users (like myself) who really want to maintain a higher level of security in our networks and equipment.

BillP
Administrator Administrator
Administrator
0 Likes
0
168

Re: PowerChute Business - Serious Java Issue

This reply was originally posted by Angela on APC forums on 4/20/2011


hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.
This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125
Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?
We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.
Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?
We have many customers want the JRE version to be fixed.
Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?
We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.