Information on Log4J vulnerability and Spok Speech
Spok Speech CVE-2021-44228 - Log4j Q&A
Overview
The following contains questions regarding the Apache Log4J vulnerability - CVE-2021-44228 as it relates to Spok Speech. Please contact Spok Support for any additional questions your organization may have.
Q: What version of Log4j is Spok Speech using?
A: Spok Speech is using an embedded version of Nuance that is using Log4j 1.x
Q: Is that version impacted by CVE-2021-44228?
A: No, CVE-2021-44228 only impacts Log4j version 2.
Q: What is Spok’s plan to move to the latest patched version of Log4j?
A: The path for resolution is to migrate to Care Connect Speech 3.3 or later.
Q: What do I need to do to upgrade?
A: The migration to Care Connect Speech would be considered a major upgrade and would need to be coordinated through your Spok Sales representative.
Q: Is Spok at risk of the following Log4J version 1.x vulnerabilities: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, CVE-2019-17571, CVE-2020-9488, CVE-2021-4104?
A: No, Spok has confirmed that Spok Speech does not enable any of the components that would need to be utilized for these vulnerabilities to be applicable: JMSSink, JDBCAppender, Apache, Chainsaw."
For additional information regarding Spok’s Response to CVE-2021-44228 – Log4j vulnerability, please visit the following: https://knowledge.spok.com/General_S...CVE-2021-44228
Related Defects:
N/A