Spok Response to CVE-2021-44228 - Log4j
Overview
A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
Resolution/Topic
This issue only affects log4j versions between 2.0 and 2.14.1 when the JMS Appender is enabled.
Q&A
Q: Are Spok products impacted by this vulnerability?
A: Spok is currently reviewing all current generally available products to determine risk. Below is the current list of products and the response from Spok:
| Product | Impact | Notes |
| Spok Go | Not impacted |
Spok Go does not use Log4j |
| Smart Suite 7.1 | Not impacted |
Smart Suite 7.1 currently uses a version that is not impacted See KB63525 for further details |
| Medicall 11.9 or later | Not impacted | Medicall does not use Log4j |
| Spok Console 7.9 or later | Not impacted | Spok Console does not use Log4j |
| PC/PSAP 11.11.0.404 or later | Not impacted | PC/PSAP does not use Log4j |
| Enterprise Alert 11.11.0.415 or later | Not impacted | Enterprise Alert does not use Log4j |
| Spok Mobile 4.5 or later | Not impacted | Spok Mobile does not use Log4j |
| Messenger 5.13 or later | Not impacted |
Messenger does not use Log4j Mirth currently uses a version that is not impacted. See KB63532 for further details |
| Spok Speech 7.0.4 or later | Not impacted |
Spok Speech currently uses a version that is not impacted See KB63523 for further details |
| CTI (Computer Telephony Integration) all versions | Not impacted | CTI does not use Log4j |
| Care Connect Speech 3.1 |
Impacted See KB63530 |
CareConnect Speech 3.1 includes Log4j as part of the embedded Nuance tools. To remediate the vulnerability, please see KB63530 for instructions. |
| Care Connect Speech 3.3 | Not impacted |
The Nuance components used by Care Connect Speech 3.3 do not use Log4j *Note: There are unused Nuance components that are showing up in security scans, please see KB63493 for steps to remediate. |
| Smart Speech (all versions) | Not impacted |
Smart Speech currently uses a version that is not impacted See KB63528 for further details |
| HigherGround (all version) | Not impacted | HigherGround has confirmed that their applications do not use Log4j |
We will continue to update this page as we learn more.
Q: Is securelink impacted by this vulnerability?
A: No. Spok has reached out to SecureLink and they have verified that they are not impacted by this vulnerability.
Q: Does Spok recommend that I apply a PBX vendor-recommended Log4j patch to my phone system?
A: As long as the patch is considered a minor update and is within the current major PBX version, Spok recommends that you apply it per the vendor instructions. Spok strongly recommends that you follow standard patching best practices:
1. Apply the patch to a test environment first (if possible) and complete full user acceptance testing of your Spok integrated products
2. Ensure you have a clear back-out plan in case you experience unexpected issues
IMPORTANT: If the PBX vendor is recommending a major upgrade to the PBX version, please open a support case to ensure the recommended version is compatible with your Spok solutions and to determine if a Spok Professional Services engagement may be required to ensure success.
Updated 1/7/2022
Related Defects:
N/A