The purpose of this document is to describe the log4j vulnerability, its possible downstream impacts on Tellabs Systems and recommended mitigations to ensure that log4j has not been inadvertently installed on a Panorama server as part of non-Tellabs software.
This document covers responses to the following products:
The Log4j utility is a Java-based logging facility that is widely used within the Java development community. The initial log4j vulnerability was CVE-2021-44228 and was an exploit that allowed an attacker who can control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Subsequent CVEs were posted as more vulnerabilities were noted as the log4j tool was further analyzed. Additional vulnerabilities: CVE-2021-45046 was found on Dec. 14; CVE-2021-45105 was found on Dec. 17 and CVE-2021-44832 was found on Dec. 28.
Vulnerability Summary for Tellabs Products:
While the log4j tool is not a part of any Tellabs software, the machines on which Tellabs software is deployed may have other software on them. Tools which use java may also have been installed on the machine by an administrator. As such, it is prudent to scan the machines with a virus scanner or vulnerability scanner to ensure that log4j is not present on the machine.
The Panorama EMS for T1000 uses the Oracle database. The Panorama INM supports the Oracle database. The Panorama PON EMS supports both the Oracle and Postgre SQL databases. None of these databases at the time of this writing had been found to be vulnerable to the log4j exploit. It is recommended that administrators continue to monitor the log4j pages of these database vendors to ensure that no vulnerabilities have been found in either database product.
Links to the current Oracle and Postgres alerts on the log4j vulnerability can be found here: