PowerChute Business - Serious Java Issue

Anonymous user · ‎2021-06-30

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.

Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?

Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?

Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?

BillP · ‎2021-06-30

hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.

This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125

Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?

We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.

Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?

We have many customers want the JRE version to be fixed.

Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?

We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.

See Answer In Context

Anonymous user · ‎2021-06-30

Thanks for the response and clarifications. I also received a response this morning from the online APC rep who has been assisting me over the past week with resolving communications issues between my older SU1400NET UPS (now refurbished with a new battery) and one of my office computers running Windows Vista Ultimate. She provided links to both the JRE Configuration Tool ZIP file and the PDF instructions for its installation, and later today I'll tackle the re-installation of PCBE and the tool to update JRE and hopefully resolve this process completely.

However, I'll just point out that downloading the tool from the link she provided requires login to a registered user's "personal page" and it isn't presented in the list of freely available or purchasable software when a search is performed on the APC website's software/firmware downloads page -- whether by using its specific name ("JRE Configuration Tool" in quotes) or by selection of the generic PCBE drop-down option to get all available relevant downloads. The PCBE v9.01 installer (with the insecure Java version embedded) is presented by the latter approach in both software categories (free up to 5 or fewer nodes, purchasable up to 25), so I'd really suggest that the configuration tool receive a more prominent listing in the group of freely available software to help those users (like myself) who really want to maintain a higher level of security in our networks and equipment.

BillP · ‎2021-06-30

hi,

here are some comments from APC, based on your post above:

The current version of PCBE (v9.01) available for download installs an obsolete and highly insecure version of Java -- JRE6u19 was superceded a full year ago and the current/secure version from Sun/Oracle is JRE6u24, with a total of five (5) JRE updates that are more recent than what's built into the PCBE installer. Furthermore, PCBE apparently requires that obsolete version it installs to function properly, and if it is manually removed (which must be done in Safe Mode to accomplish file deletions) PCBE won't function at all.

This is always the case when bundling a JRE in an application. When we update PCBE, we bundle the latest JRE at that time. PCBE 9.0.1 was a minor update to 9.0, so the JRE wasn't updated in this case. The JRE configuration tool on the website was created for this purpose. You can download the tool from this link: http://www.apc.com/products/family/index.cfm?id=125

Why isn't the downloadable installation file available on the APC website re-compiled on a timely basis to include the latest patched version of Java, say within a few days of a new Java release?

We would have to release a new version of PCBE every time a new JRE was released. If a JRE has significant vulnerabilities do we recommend customers to upgrade using the JRE upgrade tool and as stated above the JRE tool is available to anyone that does want to upgrade.

Why doesn't PCBE use an already-installed version of Java on a user's computer if it's more recent (and more secure) than what's embedded in the compiled installer, instead of forcing the obsolete version onto a user?

We have many customers want the JRE version to be fixed.

Why does APC think I should be willing to house an insecure Java version on any of my computers, given the potential security risks entailed by allowing that old version remain and become potentially available for use by some application other than PCBE (e.g., malware that managed to get by my layered-security screen)?

We are going in the direction of making the JRE either public or fixed and this will be implemented in a future release.