Release Notes for NetShelter™ Rack Power Distribution Units and In-Line Current Meters with NMC3 Firmware v2.5.2.5

AOS: 2.5.3.2

APP: 2.5.2.5

New Feature

• None

• The LCD displays the Alarm Status to show the details of all the alarms present in the device.

• Downloading the Event Log via the Web UI works as expected when the language is set to Japanese.

• If the slave ID is unavailable, Modbus will display the error message Slave Device Failure for the register addresses.
• Modbus will display a value of -1 for the Peak Temperature Capture Time if the T/TH sensor is not connected to the device.
• Modbus can read values for the Outlet Layout Description even if the T/TH sensor is not connected to the device.
• No Invalid Value error message appears for the TH/T sensor when the config.ini file is uploaded.
• If a sensor is not connected to the device, none of the interfaces will display any parameter values.
• Invalid threshold values for the Temperature and Humidity parameters are not permitted.
• If an invalid value is set for the wait parameter in the cold start delay, the Immediate and Never options in the device configuration will remain inactive.
• The Bank and Phrase current thresholds now support decimal values to the tenth place. This feature is available in the web UI, CLI, SNMP and the config.ini file. New OIDs have been added to accommodate this change in the SNMP interfaces.
• The Range value (1-99) for Network-LED blink duration is specified on the NMC web page.

APC Operating System

The following security vulnerabilities have been addressed in this release:

• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  SSH Cipher Block Chaining (CBC) cipher has been removed.
  
  
• CWE-523: Unprotected Transport of Credentials. Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
  CWE-319: Cleartext Transmission of Sensitive Information. The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
  
  The user is now referenced as an index rather than their username, for example: NMC/KrtUvuh39YtQmHbyua297g/usercfg.htm?user=2
  
  
• CWE-863: Incorrect Authorization
  
  The Network-Only user can only perform actions in the Web UI relevant to the user access level.
  
  
• CWE-20: Improper Input Validation
  
  Incoming BACnet packet sizes are now validated.
  
  
• CWE-598: Use of GET Request Method With Sensitive Query Strings. This software uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
  
  Configuration of HSTS is now independent from HTTP or HTTPS configuration. When HSTS is enabled an STS header is added to all responses over HTTPS.

None

APDU9•••, AP8•••, AP7•••B, and AP71••B Applications

None