Issue: PowerChute Network Shutdown is affected by CVE-2023-20860 and CVE-2023-20861

Products: PowerChute Network Shutdown v5.0

Environment: All support OS

Cause: spring 5.3.22 vulnerability

Solution: Update the spring library to mitigate CVE-2023-20860 and CVE-2023-20861

Steps: On a Windows system

1. Stop PowerChute Service.
   1. Open a command prompt as an administrator and enter net stop PCNS1
2. Remove old JAR files from the group1\lib folder.
   1. The default path for PowerChute is C:\Program Files\APC\PowerChute\group1
   2. Remove spring-aop-5.3.22.jar spring-beans-5.3.22.jar spring-context-5.3.22.jar spring-core-5.3.22.jar spring-expression-5.3.22.jar spring-web-5.3.22.jar

3. Copy in new 5.3.29 Spring JAR files. The files are attached as a zip to this FAQ.
   1. Uncompress the zip and copy the contents of the Spring5.3.29 folder to group1\lib
4. Start PowerChute service.
   1. From the command prompt as an administrator enter net start PCNS1

Steps: on Linux system

NOTE: Linux is case sensitive when entering command and file names.

1. Stop PowerChute Service.
   1. Open a terminal window with root privileges and enter sudo systemctl stop PowerChute
2. Remove old JAR files from the group1/lib folder.
   1. The default path for PowerChute is /opt/APC/PowerChute/group1
   2. To remove the file cd to /opt/APC/PowerChute/group1/lib
   3. remove spring-aop-5.3.22.jar spring-beans-5.3.22.jar spring-context-5.3.22.jar spring-core-5.3.22.jar spring-expression-5.3.22.jar spring-web-5.3.22.jar
   4. The command is sudo rm -rf spring-*

3. Copy in new 5.3.29 Spring JAR files. The files are attached as a zip to this FAQ.
   1. Uncompress the zip and copy the contents of the Spring5.3.29 folder to group1/lib
4. Start PowerChute service.
   1. From the terminal, as an administrator, enter sudo systemctl start PowerChute

Published for:APC Belgium