Information on Log4J vulnerability and Spok Speech

Overview 

The following contains questions regarding the Apache Log4J vulnerability - CVE-2021-44228 as it relates to Spok Speech.  Please contact Spok Support for any additional questions your organization may have.

Q:  What version of Log4j is Spok Speech using? 

A:  Spok Speech is using an embedded version of Nuance that is using Log4j 1.x 

Q:  Is that version impacted by CVE-2021-44228? 

A:  No, CVE-2021-44228 only impacts Log4j version 2. 

Q:  What is Spok’s plan to move to the latest patched version of Log4j? 

A:  The path for resolution is to migrate to Care Connect Speech 3.3 or later. 

Q:  What do I need to do to upgrade? 

A:  The migration to Care Connect Speech would be considered a major upgrade and would need to be coordinated through your Spok Sales representative.   

Q:  Is Spok at risk of the following Log4J version 1.x vulnerabilities: CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, CVE-2019-17571, CVE-2020-9488, CVE-2021-4104?

A:  No, Spok has confirmed that Spok Speech does not enable any of the components that would need to be utilized for these vulnerabilities to be applicable: JMSSink, JDBCAppender, Apache, Chainsaw."

For additional information regarding Spok’s Response to CVE-2021-44228 – Log4j vulnerability, please visit the following: https://knowledge.spok.com/General_S...CVE-2021-44228