Skip to main content
Older versions of Internet Explorer will not support certain site features. Chrome, Safari, Firefox, and Edge will provide the best experience.

Spok Response to CVE-2021-44228 - Log4j


A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup. 


This issue only affects log4j versions between 2.0 and 2.14.1 when the JMS Appender is enabled. 


Q:  Are Spok products impacted by this vulnerability?

A:  Spok is currently reviewing all current generally available products to determine risk.  Below is the current list of products and the response from Spok:

Product Impact Notes
Spok Go Not impacted

Spok Go does not use Log4j

Smart Suite 7.1 Not impacted

Smart Suite 7.1 currently uses a version that is not impacted 

See KB63525 for further details

Medicall 11.9 or later Not impacted Medicall does not use Log4j
Spok Console 7.9 or later Not impacted Spok Console does not use Log4j
PC/PSAP or later Not impacted PC/PSAP does not use Log4j 
Enterprise Alert or later Not impacted Enterprise Alert does not use Log4j
Spok Mobile 4.5 or later Not impacted Spok Mobile does not use Log4j
Messenger 5.13 or later Not impacted

Messenger does not use Log4j

Mirth currently uses a version that is not impacted.  See KB63532 for further details

Spok Speech 7.0.4 or later Not impacted

Spok Speech currently uses a version that is not impacted 

See KB63523 for further details

CTI (Computer Telephony Integration) all versions Not impacted CTI does not use Log4j
Care Connect Speech 3.1


See KB63530

CareConnect Speech 3.1 includes Log4j as part of the embedded Nuance tools.

To remediate the vulnerability, please see KB63530 for instructions.

Care Connect Speech 3.3 Not impacted

The Nuance components used by Care Connect Speech 3.3 do not use Log4j

*Note:  There are unused Nuance components that are showing up in security scans, please see KB63493 for steps to remediate.

Smart Speech (all versions) Not impacted

Smart Speech currently uses a version that is not impacted

See KB63528 for further details

HigherGround (all version) Not impacted HigherGround has confirmed that their applications do not use Log4j

We will continue to update this page as we learn more.

Q:  Is securelink impacted by this vulnerability?

A:  No.  Spok has reached out to SecureLink and they have verified that they are not impacted by this vulnerability.

Q:  Does Spok recommend that I apply a PBX vendor-recommended Log4j patch to my phone system?

A:  As long as the patch is considered a minor update and is within the current major PBX version, Spok recommends that you apply it per the vendor instructions.  Spok strongly recommends that you follow standard patching best practices:

1.  Apply the patch to a test environment first (if possible) and complete full user acceptance testing of your Spok integrated products

2.  Ensure you have a clear back-out plan in case you experience unexpected issues

IMPORTANT:  If the PBX vendor is recommending a major upgrade to the PBX version, please open a support case to ensure the recommended version is compatible with your Spok solutions and to determine if a Spok Professional Services engagement may be required to ensure success.

Updated 1/7/2022


Related Defects: