Skip to main content

Smart System Security

Known Issues & Fixes

This page was last updated on: December 20, 2021

It is one of our major interests to provide you as our customers with reliable and highly secured products and system solutions. On this page, you will therefore find information about known issues and their solution approach.

> Log4j security vulnerability

In case you are not sure whether your system may be compromised, please contact our Customer Support via your JIRA Customer Help-Desk or e-mail us: Support(at)LStelcom.com.

Your Support Contact

Contact us via your JIRA Customer Help-Desk or e-mail us

E-mail: Support(at)LStelcom.com

Log4j security vulnerability

As you may have heard from media and press reports over the last weekend and beginning of this week, an IT security gap has been identified. LS telcom is aware of the Log4j security vulnerability being reported by Apache.org, specifically CVE-2021-44228.

We will keep you informed about the investigation results on how this vulnerability affects our products.

> ALL-CLEAR for LS telcom products

> SPECTRA system directly available over the internet (e.g. SPECTRAweb or mySPECTRA)

> SPECTRA system deployed in internal networks (e.g. SPECTRAplus)

ALL-CLEAR for the following LS telcom products

We confirm the following products are not affected by the Log4j security vulnerability:

CHIRplus_BC

CHIRplus_TC

CHIRplus_NGN

LS OBSERVER CMS

MONITORplus

SPECTRAemc

SPECTRAplan S

Recommendations for SPECTRA system directly available over the internet

(e.g. SPECTRAweb or mySPECTRA)

Preliminary assessment:

Where Log4j is used in external SPECTRAweb or mySPECTRA we recommend to execute the above described mitigation actions.

Log4j has released version 2.17.1, which contains a solution for the vulnerability. Where required LS telcom is preparing a patch to resolve the vulnerability. We will provide further information on the roll-out and installation procedure once it is available.

Recommendations for SPECTRA system deployed in internal networks

(e.g. SPECTRAplus)

Preliminary assessment:

Log4j is used in internal SPECTRAplus, SPECTRAweb and mySPECTRA versions by several services. At this point, we consider the risk for such systems to be lower as these services are not directly available via public internet. Nevertheless we recommend to execute also for these systems the above described mitigation actions.

Log4j has released version 2.17.1, which contains a solution for the vulnerability, LS telcom is planning to release a patch that resolves the vulnerability. We will provide further information on the roll-out an installation procedure as soon as available.