Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84488members
353706posts

PowerChute Business - Serious Java Issue

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

Solved
jhvance_apc
Ensign
Ensign
0 Likes
2
214

PowerChute Business - Serious Java Issue

This was originally posted on APC forums on 4/19/2011


The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.

Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?

Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?

Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?


Accepted Solutions
BillP
Administrator Administrator
Administrator
0 Likes
0
214

Re: PowerChute Business - Serious Java Issue

This reply was originally posted by Angela on APC forums on 4/20/2011


hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.
This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125
Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?
We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.
Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?
We have many customers want the JRE version to be fixed.
Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?
We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.

See Answer In Context

2 Replies 2
jhvance_apc
Ensign
Ensign
0 Likes
0
214

Re: PowerChute Business - Serious Java Issue

This was originally posted on APC forums on 4/20/2011


Thanks for the response and clarifications. I also received a response this morning from the online APC rep who has been assisting me over the past week with resolving communications issues between my older SU1400NET UPS (now refurbished with a new battery) and one of my office computers running Windows Vista Ultimate. She provided links to both the JRE Configuration Tool ZIP file and the PDF instructions for its installation, and later today I'll tackle the re-installation of PCBE and the tool to update JRE and hopefully resolve this process completely.

However, I'll just point out that downloading the tool from the link she provided requires login to a registered user's "personal page" and it isn't presented in the list of freely available or purchasable software when a search is performed on the APC website's software/firmware downloads page -- whether by using its specific name ("JRE Configuration Tool" in quotes) or by selection of the generic PCBE drop-down option to get all available relevant downloads. The PCBE v9.01 installer (with the insecure Java version embedded) is presented by the latter approach in both software categories (free up to 5 or fewer nodes, purchasable up to 25), so I'd really suggest that the configuration tool receive a more prominent listing in the group of freely available software to help those users (like myself) who really want to maintain a higher level of security in our networks and equipment.

BillP
Administrator Administrator
Administrator
0 Likes
0
215

Re: PowerChute Business - Serious Java Issue

This reply was originally posted by Angela on APC forums on 4/20/2011


hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.
This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125
Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?
We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.
Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?
We have many customers want the JRE version to be fixed.
Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?
We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.