A flaw was found in the Java logging library Apache Log4j 2 in versions from 2.0-beta9 and before and including 2.14.1. This could allow a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.
This issue only affects log4j versions between 2.0 and 2.14.1 when the JMS Appender is enabled.
Q: Are Spok products impacted by this vulnerability?
A: Spok is currently reviewing all current generally available products to determine risk. Below is the current list of products and the response from Spok:
|Spok Go||Not impacted||
Spok Go does not use Log4j
|Smart Suite 7.1||Not impacted||
Smart Suite 7.1 currently uses a version that is not impacted
See KB63525 for further details
|Medicall 11.9 or later||Not impacted||Medicall does not use Log4j|
|Spok Console 7.9 or later||Not impacted||Spok Console does not use Log4j|
|PC/PSAP 184.108.40.2064 or later||Not impacted||PC/PSAP does not use Log4j|
|Enterprise Alert 220.127.116.115 or later||Not impacted||Enterprise Alert does not use Log4j|
|Spok Mobile 4.5 or later||Not impacted||Spok Mobile does not use Log4j|
|Messenger 5.13 or later||Not impacted||
Messenger does not use Log4j
Mirth currently uses a version that is not impacted. See KB63532 for further details
|Spok Speech 7.0.4 or later||Not impacted||
Spok Speech currently uses a version that is not impacted
See KB63523 for further details
|CTI (Computer Telephony Integration) all versions||Not impacted||CTI does not use Log4j|
|Care Connect Speech 3.1||
CareConnect Speech 3.1 includes Log4j as part of the embedded Nuance tools.
To remediate the vulnerability, please see KB63530 for instructions.
|Care Connect Speech 3.3||Not impacted||
The Nuance components used by Care Connect Speech 3.3 do not use Log4j
*Note: There are unused Nuance components that are showing up in security scans, please see KB63493 for steps to remediate.
|Smart Speech (all versions)||Not impacted||
Smart Speech currently uses a version that is not impacted
See KB63528 for further details
|HigherGround (all version)||Not impacted||HigherGround has confirmed that their applications do not use Log4j|
We will continue to update this page as we learn more.
Q: Is securelink impacted by this vulnerability?
A: No. Spok has reached out to SecureLink and they have verified that they are not impacted by this vulnerability.
Q: Does Spok recommend that I apply a PBX vendor-recommended Log4j patch to my phone system?
A: As long as the patch is considered a minor update and is within the current major PBX version, Spok recommends that you apply it per the vendor instructions. Spok strongly recommends that you follow standard patching best practices:
1. Apply the patch to a test environment first (if possible) and complete full user acceptance testing of your Spok integrated products
2. Ensure you have a clear back-out plan in case you experience unexpected issues
IMPORTANT: If the PBX vendor is recommending a major upgrade to the PBX version, please open a support case to ensure the recommended version is compatible with your Spok solutions and to determine if a Spok Professional Services engagement may be required to ensure success.