Log4 versions used in Powerchute vulnerable?

Powerchute Remote Shutdown 4.3 contains affected versions as well:

/opt/APC/PowerChute/group1/lib/log4j-core-2.10.0.jar
/opt/APC/PowerChute/group1/lib/log4j-api-2.10.0.jar
/opt/APC/PowerChute/group1/lib/log4j-slf4j-impl-2.10.0.jar
/opt/APC/PowerChute/group1/log4j2.xml

As my version was between 2.0 and 2.10, I removed the JndiLookup.class from the jar

zip -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Where do you see anything saying 10.0.4 is ok on the link your provided?

Hm yeah maybe youre right...

I was a bit to fast but here i guess it says from version Unknown to 10.0.2.301 is vulnerable.

So i thought version 10.0.4 should be fine.

Tomorrow i try to install the new version on one of our test Servers and i will look for the Log4 Version.

I keep you up to date.

BTW:

I already have opened a ticket but the support is kind a missunderstanding the problem...

They just said thanks for sending us the info.

Someone else told em allready that they got hacked and he said to me theyr security team is allready on it 😅

I was asking them to give a solution or at least a clear statement, i not giving a hint for a hacking attack...

Thanks Bill, 

Thats the conclusion I came to yesterday when running some tests.

Are there plans to update Powerchute to include version 16 of Log4j?

I tested it and installed it on one of our test servers.

To shorten it up: It is not safe!

We are here on a newer log4j but still vulnerable.

Version 2.14.1

I guess best option is rly to just block the FW port or do that 7zip thing. -.-

BTW:

Still no answer from the support...

Bill,

I appreciate that you followed up so quickly on this matter, but I need some additional help.

The 7zip download is based in a data center Finland, which is Geo-IP blocked from all my client sites.  There is - and has been - no reason for any internet traffic to route there.

Second, this statement telling everyone to install and use a third-party software program on a Windows Server.  That's not something my clients will necessarily agree to.

So I'm caught between punching a hole through a client's firewall and using unsanctioned software to remove a problem - or asking, very politely, to have APC provide a less awkward solution.

Thanks!

Larry

@LarryK Nearly all the remediations/patches for log4j require you to remove the class file from the jar file (which is a zip file) so you are going to need some sort of zip program on your machines to remedy the rest of your applications- not just Powerchute.

I would suggest downloading 7zip or hosting it internally so your clients can access. You mention client sites, so you are probably doing this via a RMM tool so you should be able to host the file on your server and then download via your rmm tool.

The alternative is to rename the file to .zip, extract the jar file using Explorer,  delete the class file and then zip the files back up again using explorer.

Of course the other solution is  to wait for a new version to come out. This will of course require a download at which point you are again downloading 3rd party software from the internet.

I ran your instructions: 

         "c:\Program Files\7-Zip\7z.exe" d log4j-core-2.11.1.jar JndiLookup.class -r 

and it seemed to process correctly.  But when I re-run Github's Log4f-finder.exe program, it still reports this file as a vulnerability.  Is that expected?

Results of Log4f-finder scan:

VULNERABLE: C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib\log4j-core-2.11.1.jar -> org\apache\logging\log4j\core\net\JndiManager.class [04fdd701809d17465c17c7e603b1b202: log4j 2.9.0 - 2.11.2]

As a follow-up, I then updated to PC Business Edition 10.0.4, ran Log4f-finder.exe and it listed log4j-core-2.14.1.jar as vulnerable.  So I updated that JAR file, but Log4f-finder still says it's vulnerable.

Based on https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14....

You need to remove the jndilookup.class and jndimanager.class file and not just JndiLookup.class to patch the vulnerability.

The other option (that i've not tested) would be to download 2.16 from https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip

Extract and then copy log4j-core-2.16.0.jar into the C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib directory

delete log4j-core-2.14.1.jar from this directory.

My understanding is that the version number in the files doesn't matter to Java (but I could be wrong on this).

Thanks!

Yep, after I also ran  "c:\Program Files\7-Zip\7z.exe" d log4j-core-2.14.1.jar JndiManager.class -r  , then Log4f-finder did not find any vulnerabilities.

I like the full jar file replacement much more than the cut-and-paste approach.

I would test this, but I'm currently on hold with APC tech support for a problem I'm experiencing with PCNS following a server reboot this past weekend (its no longer talking to the NMC...).

This sounds like a great time to test this as it can't get any worse right?

🙂

Seriously...

What's the worse that could happen?  Support suggests reinstalling PCNS...

Once I get done with another remote support session with another vendor.

Just as another follow-up, on another server, I only ran  "c:\Program Files\7-Zip\7z.exe" d log4j-core-2.14.1.jar JndiManager.class -r  , then Log4f-finder did not report any vulnerabilities.    So I'm not sure if that means you don't have to update the JndiLookup.class , but I still did for good measure.

While logical, simply exchanging the 2.16 for 2.13 did not work.

When starting PCNS after the replacement, the service fails to start - no error message.

Was definitely worth a shot.

Thats odd as removing JndiLookup.class is explicity mentioned at https://logging.apache.org/log4j/2.x/security.html on how to fix the issue.

Larry, - that's a shame 😞

I sent in a support request on the 12th but haven't heard back yet.

Did however also read this: 

https://isc.sans.edu/diary/rss/28134

Regardless, for better or worse, this is what I have done - not sure what evil it may cause - but anyway:

1. upgraded to the newest version of the Powerchute software

2. download the latest (v2.16) log4j file from here: https://logging.apache.org/log4j/2.x/download.html

3. extracted the three corresponding files that are used by pbe agent, namely:

log4-api-2.16.0.jar

log4-core-2.16.0.jar

log4-slf4j-2.16.0.jar

4. renamed them:

log4-api-2.14.1.jar

log4-core-2.14.1.jar

log4-slf4j-2.14.1.jar

5. stopped the apc pbe agent service

6. copied the renamed files from step 4 above to

C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib

7. started the apc pbe agent service

8. signed on, everything appeared to be working ok

Just sharing, don't know if you want to do this yourself - or if it would be of any help.

@absoblogginlutely 

Yes. The next releases of PCBE and PCNS will have updated log4j2. I'll post when I have release dates. 

@LarryK 

Noted. SE is working on an official document. I posted this as mentioned to offer a solution quickly. 

Hi,

I have installed version 10.0.4 of Powerchute Business Edition and in C:\Program Files (x86)\APC\PowerChute Business Edition\agent\lib, there is log4j-core-2.14.1.jar.

I dont understand this NOTE: For v10.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4 replace the text in bold with log4j-core-2.11.1.jar and for v9.5 replace this with log4j-core-2.2.jar.

What command should I run?

I think, that for PBE version 10.0.4 it should be: "c:\Program Files\7-Zip\7z.exe" d log4j-core-2.14.1.jar JndiLookup.class -r

Thank you and excuse my English 🙂

Hi Martin,

Yes, I also found that note confusing.  I think you are correct in your conclusion.  That's exactly what I ran after upgrading to v10.0.4.   

But I believe they are missing another statement that needs to be run to fully mitigate the vulnerability, so I believe you also need to run this:  "c:\Program Files\7-Zip\7z.exe" d log4j-core-2.14.1.jar JndiManager.class -r

If you use Github's Fox-it Log4j-finder.exe program (https://github.com/fox-it/log4j-finder ),  it will keep reporting a vulnerability on that JAR file until you also fix the JndiManager.class section.

Hi gsoyars,

     exactly as you wrote. I used Log4j-finder.exe, too  and the same result as you 😞 

Overall, the solution is still quite confusing.....

I hope, they will update PBE as soon as possible.

I was able to finally run this on our Linux PCNS device, however Tenable still reports this as being vulnerable do it being on an outdated 2.10 version of log4j. 

If I did not receive any errors when running the commands should I be concerned about this? 

This is the simplistic solution I was looking for (albeit a week after I took some very manual steps to remediate).

Good to have for other, possibly less nefarious, problems in the future.

+1

Thanks for posting CBacct

I am also seeing after running the commands posted by APC that log4j-core-2.11.1.jar is still being flagged as vulnerable.  These steps appear to be incomplete.

APC, please advise.

This solution in incomplete.  Please advise.

Hi,

We have posted an FAQ that includes scripts to correct the vulnerability.

https://www.se.com/ww/en/faqs/FAQ000229596/

You may see that PowerChute is flagged as vulnerable after running the scripts. It is being flagged because the version number has not been updated. 

Seeking clarification of this statement:

Change directory to the location where you extracted the files and move to the Windows folder,

Opening an elevated Command prompt (which is explained in detail) places you in C:\Windows\system32.

The first part of the sentence says to "cd" to the folder with the extracted download.  But I don't know what you mean by "move to the Windows folder".  Do you mean to "cd" back to the starting location?

Thanks!

@LarryK 

Change directory to the location type run_mitigation.cmd and press return to execute the log4jMitigation.ps1 file.

I will ask the tech writers to remove 

 "and move to the Windows folder,"