Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
Java issues, AGAIN
Okay, the PCBE reliance on Java is getting really old and tiresome, even with the JRE configuration applet made available to modify after-the-fact the rather ancient version (v6 update 19) which is installed each and every time PCBE must be fully uninstalled and then reinstalled again in order to update Java whenever Sun/Oracle releases a new version. When PCBE was initially released years ago and even when the v9.0.1 update was provided in 2011, Java was not the malware vector it has become over the past year as flaws are discovered and now exploited in the wild long before Sun/Oracle gets around to their longstanding quarterly patch schedule.
One of those was in July, but under a rather serious emergency circumstance to address a flaw they had been notified of in April but now being widely exploited. an out-of-schedule update (to v7 update 7) was quietly released late last week after numerous credible security research experts not only provided warnings of the flaw (and its increasing spread through poisoned website code as they were taken over by various miscreants), but who also strongly and repeatedly encouraged users to at least disable it in their browsers if not simply uninstall it completely from their systems.
I've got one Windows Vista Ultimate 32-bit machine which is supported by an aging but still functional APC SU1400 running PCBE, and I've consistently had problems in getting this update do-si-do to resolve and function properly, but normally after a few cycles of uninstalling and reinstalling everything it will somehow sort out whatever issues there are and settle into a configuration that consistently works over repeated boot cycles. However, for the past few days I've repeatedly uninstalled the PCBE Console/Server/Agent and Java, rebooted that machine (and the entire network) and reinstalled in the reverse sequence (i.e., Agent/Server/Console) before running the JRE configuration applet that switches PCBE to use the new updated v7u7 version and delete the ancient v6u19 version. In each cycle, regardless of whether I install the new Java before or wait until after the Agent/Server/Console reinstallation sequence, everything works fine with the old Java version up to the point where that JRE re-configuration step breaks the communications link between Server and Agent which had previously been successfully established and consistently recognized.
I can generally see the console information by using a browser to alternatively login via http://127.0.0.1:3052, but not by going directly into the console application -- it doesn't successfully recognize the node or has the capability to successfully "add" it to the list if I make the manual attempt. To say it's frustrating and an serious waste of my time is an understatement. It is simply NOT a realistic or viable option to recommend that users retain the old and flawed version of Java in order to make their APC product functional!
So, here are a couple of impertinent questions:
1. Why does the JRE reconfiguration tool appear to successfully change the JRE version but break that Server-Agent communications link and then not allow me to re-establish it properly again through the Console, and what else can I try that might work around this issue? Is it something in this new Java 7u7 version?
2. Why won't APC simply recompile the PCBE installer file that incorporates each newly-released and updated version of Java, even if the base PCBE version installed remains at v9.0.1?
I've spent way too much time futzing with this thing -- to the point where I'm really so disenchanted and disinclined it's unlikely to ever want to consider another APC product.
Link copied. Please paste this link to share this article on your social media post.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
Hey Jim,
These appear to be vulnerabilities with Java-in-the-web-browser (as the Registrar article nicely calls it). The JVM installed with PCBE is only used to run PCBE so it shouldn't be vulnerable. Is there something I'm missing?
Just to make sure the PCBE developers didn't install a copy of Java capable of running in the browser, I did two tests inside a VirtualBox VM (Oracle... the irony, I know):
- Does the private JVM installed with PCBE on a machine WITHOUT Java run code in a browser?
- Does the private JVM installed with PCBE on a machine WITH Java run code in a browser?
Results:
- PCBE (w/ private JVM), no public JVM => Attempt to load an applet in my browser shows a broken plugin icon
- PCBE (w/ private JVM), Oracle v7 JVM => Applet loads using Oracle v7 JVM. Also, PCBE's JVM is not listed in the Java control panel.
So it seems to me like PCBE's private JVM may be old but it is not an exposed attack surface.
I also tried using the JRE reconfiguration tool to see if I could replicate the communication problem you had. The JRE reconfiguration tool didn't work at all for me, even after a restart, though it nicely rolled back its changes. I'd look for a firewall issue here.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
If anyone at APC needs more clarity on the risk which these latest Java exploits pose to users of PCBE who haven't been able to keep its version of Java updated without disabling the UPS Console software functionality, here are just a few links to underscore and emphasize the threat:
Symantec: Criminals Quickly Adopt Java 0-Day Exploit
http://www.eweek.com/c/a/Security/Symantec-Criminals-Quickly-Adopt-Java-0Day-Exploit-584776/
Oracle Java Patch Has Security Flaw, Researchers Say
http://www.eweek.com/c/a/Security/Oracle-Java-Patch-Has-Security-Flaw-Researchers-Say-752035/
Thanks ever so much Java, for that biz-wide rootkit infection
http://www.theregister.co.uk/2012/09/03/java_cleanup/
Link copied. Please paste this link to share this article on your social media post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
hello, thanks for the feedback. i sent this post off to the PCBE team to review your comments. here is what i can tell you know based on some feedback from the PCBE support team.
if you don't want to deal with the java based software, apcupsd might be a good alternative if you have not looked into it. it is third party software but works well and supports many operating systems.
java version 7, update 7 has not been tested but i can at least pass the feedback along on the justification for it since it is not under my umbrella of support. we can also accept the feedback on the patched versions.
Link copied. Please paste this link to share this article on your social media post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-01 01:29 AM . Last Modified: 2024-03-06 01:38 AM
Hey Jim,
These appear to be vulnerabilities with Java-in-the-web-browser (as the Registrar article nicely calls it). The JVM installed with PCBE is only used to run PCBE so it shouldn't be vulnerable. Is there something I'm missing?
Just to make sure the PCBE developers didn't install a copy of Java capable of running in the browser, I did two tests inside a VirtualBox VM (Oracle... the irony, I know):
- Does the private JVM installed with PCBE on a machine WITHOUT Java run code in a browser?
- Does the private JVM installed with PCBE on a machine WITH Java run code in a browser?
Results:
- PCBE (w/ private JVM), no public JVM => Attempt to load an applet in my browser shows a broken plugin icon
- PCBE (w/ private JVM), Oracle v7 JVM => Applet loads using Oracle v7 JVM. Also, PCBE's JVM is not listed in the Java control panel.
So it seems to me like PCBE's private JVM may be old but it is not an exposed attack surface.
I also tried using the JRE reconfiguration tool to see if I could replicate the communication problem you had. The JRE reconfiguration tool didn't work at all for me, even after a restart, though it nicely rolled back its changes. I'd look for a firewall issue here.
Link copied. Please paste this link to share this article on your social media post.