{"support":{"yesButton":"yes","noButton":"no","feedback":{"title":"What can we do to improve?"},"submitButton":"Submit","successMessage":"Thank you for your feedback","title":"Did this answer your question?","feedbackPercentLabel":"of people found this helpful","captcha":{"error":"Please tick the box"}}}
Search FAQs
{"searchBar":{"inputPlaceholder":"Search by keyword or ask a question","searchBtn":"Search","error":"Please enter a keyword to search"}}
Security Notification: "LOGJAM" vulnerability (CVE-2015-4000) - impact to PowerChute Network Shutdown.
Issue:
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
Products:
PowerChute Network Shutdown
Environment:
All Support OS
Cause:
V2.2.x – These versions support DHE_EXPORT cipher suites and are vulnerable.
V3.0.x – DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
Solution:
PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v4.0.0, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.
Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
Products:
PowerChute Network Shutdown
Environment:
All Support OS
Cause:
- Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”
- Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:
- 512-bit – An individual user can break this.
- 768-bit – University level resources required.
- 1024-bit – Nation-State level resources required.
V2.2.x – These versions support DHE_EXPORT cipher suites and are vulnerable.
V3.0.x – DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
V4.0.0 - DHE_EXPORT cipher suites are blocked but they use a Diffie-Hellman prime of less than 2048-bits and are therefore vulnerable. The level of difficulty depends on the JRE version being used with PowerChute. Java 8 uses a default value of 1024-bits. Java 7 may use 768-bits or higher depending on the version.
Solution:
PowerChute Network Shutdown
We recommend updating the version of PowerChute Network Shutdown to the latest version, v4.0.0, or updating the JRE version used by PowerChute to Java 8. For 32-bit Solaris OS, Java 7 must be used.
- V2.2.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer – v2.2.x will automatically detect and use Java 8.
- V3.0.x – Install the 32-bit version of Java 8 from java.com on the machine running PowerChute. Re-run the PowerChute installer and select the Public JRE option.
- V4.0.0 has Java 8 bundled as a private JRE.
Once PowerChute has been configured to use Java 8 (Java 7 on Solaris x86):
- Stop the PowerChute service.
- In the folder where Java is installed open “lib\security\java.security” using a text editor.
- Scroll to the end of the file and locate the line “jdk.tls.disabledAlgorithms=SSLv3” – set this to “jdk.tls.disabledAlgorithms=SSLv3,DH”
- Save the file and re-start the PowerChute service.
Explore more
Explore more
Can't find what you are looking for?
Reach out to our Customer Care team to receive information on technical support, assistance for complaints and more.