PowerChute Network Shutdown 5.0 - 7.5 (High) Vulnerability - CVE-2023-20860

christophershaw · ‎2023-11-20

Looks like the latest version of PowerChute Network Shutdown (latest version - 5.0.0) has a vulnerability in the VMware Spring Runtime (spring-core-5.3.22.jar). I've confirmed the file does exist in the {Installation Drive}:\Program Files\APC\PowerChute\group1\lib\ directory and is vulnerable to the CVE below.

I've made an inquiry to SE on the form at https://www.se.com/us/en/work/support/contacts.jsp after waiting hours on the phone/chat to responsibly report, but since the CVE was posted on 03/27/2023 (https://www.cve.org/CVERecord?id=CVE-2023-20860) there should have been more than enough time to respond and resolve the issue.

Are there any plans to release an update to PCNS to update the Spring Framework dependency? https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-...

When the update is issued, will the latest version from the Spring Framework (6.1.0) be used? There are several other CVE's that exist in the 5.x versions.

Here's the output of Greenbone Security Assistant (GSA) scan on my Windows Server 2022 VM running APC PowerChute Network Shutdown 5.0:

Summary

The VMware Spring Framework is prone to a security bypass vulnerability.

Detection Result

Installed version: 5.3.22
Fixed version:     5.3.26/6.0.7
Installation
path / port:       C:\Program Files\APC\PowerChute\group1\lib\spring-core-5.3.22.jar

Insight

Using '**' as a pattern in Spring Security configuration with the 'mvcRequestMatcher' creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Detection Method

Checks if a vulnerable version is present on the target host.

Details:	VMware Spring Framework 5.3.x < 5.3.26, 6.0.x < 6.0.7 Security Bypass ...OID: 1.3.6.1.4.1.25623.1.0....
Version used:	2023-10-12T22:06:10-08:00

Affected Software/OS

VMware Spring Framework versions 5.3.x prior to 5.3.26 and 6.0.x prior to 6.0.7. Versions older than 5.3 are not affected.

Solution

Solution Type:

Vendorfix

Update to version 5.3.26, 6.0.7 or later.

References

CVE	CVE-2023-20860
CERT	DFN-CERT-2023-1648DFN-CERT-2023-1512DFN-CERT-2023-1465DFN-CERT-2023-1449DFN-CERT-2023-1167WID-SEC-2023-1807WID-SEC-2023-1755WID-SEC-2023-1142WID-SEC-2023-0697
Other	https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-...https://spring.io/security/cve-2023-20860