Loader

Log4j Vulnerability

Introduction

Document Number

Purpose

The purpose of this document is to describe the log4j vulnerability, its possible downstream impacts on Tellabs Systems and recommended mitigations to ensure that log4j has not been inadvertently installed on a Panorama server as part of non-Tellabs software.

Applies To

This document covers responses to the following products: 

  • Tellabs 1000 MSAP
  • Tellabs Panorama 1090
  • Tellabs Panorama INM
  • Tellabs Panorama PON
  • Tellabs OLAN OLTs and ONTs.

CVE/Vulnerability Description

The Log4j utility is a Java-based logging facility that is widely used within the Java development community. The initial log4j vulnerability was CVE-2021-44228 and was an exploit that allowed an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Subsequent CVEs were posted as more vulnerabilities were noted as the log4j tool was further analyzed.  Additional vulnerabilities: CVE-2021-45046 was found on Dec. 14; CVE-2021-45105 was found on Dec. 17 and CVE-2021-44832 was found on Dec. 28.  

Vulnerability Statement

Vulnerability Summary for Tellabs Products: 

  • Tellabs 1000 MSAP: Not Vulnerable.  The Tellabs 1000 MSAP does not use any java anywhere within its implementation and therefore is not vulnerable to the log4j exploit, which is java-based too.
  • Tellabs Panorama 1090: Not Vulnerable.  The Panorama 1090 product used with most T1000 implementations is written in C/C++ as such is not vulnerable to the log4j exploits.
  • Tellabs Panorama INM: Not Vulnerable.  While INM is implemented in Java, it does not make use of the log4j utility and standard installations were scanned and no log4j component was found.
  • Tellabs Panorama PON: Not Vulnerable. While Panorama PON is implemented in Java, it does not make use of the log4j utility and standard installations were scanned and no log4j component was found. 
  • Tellabs OLTs: Not Vulnerable.  All Tellabs OLAN OLTs are implemented in C/C++ and do not have java present within the product and therefore are not vulnerable.

Recommended Mitigations for Log4j as a Precaution

While the log4j tool is not a part of any Tellabs software, the machines on which Tellabs software is deployed may have other software on them.  Tools which use java may also have been installed on the machine by an administrator.  As such, it is prudent to scan the machines with a virus scanner or vulnerability scanner to ensure that log4j is not present on the machine.    

Databases used by Panorama EMS Precaution

The Panorama EMS for T1000 uses the Oracle database.  The Panorama INM supports the Oracle database. The Panorama PON EMS supports both the Oracle and Postgre SQL databases.  None of these databases at the time of this writing had been found to be vulnerable to the log4j exploit. It is recommended that administrators continue to monitor the log4j pages of these database vendors to ensure that no vulnerabilities have been found in either database product.  

Links to the current Oracle and Postgres alerts on the log4j vulnerability can be found here:

 

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image