Response to Apache Log4j2 vulnerability
Updated March 15, 2022
Summary
Nuance is adhering to current guidance, at this time, from The Apache Software Foundation about the critical remote code execution vulnerabilities affecting multiple Log4j2 versions. The Nuance Security Intelligence and Operations team promptly updated our security systems to automatically detect and block attempted exploitation of this vulnerability and will continue to proceed at a heightened readiness.
Currently, Nuance is not aware of any impact to the security of our solutions and has not experienced any degradation in the availability of those solutions, as a result of the Log4j2 vulnerability.
We continue to work with our security partners and the intelligence community to keep our systems up to date with the latest information and protection. The Nuance Cyber Fusion Center is working with our development and IT teams to identify and update Nuance systems to remove the risk posed by this vulnerability.
As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will continue to publish information to help customers detect, investigate, and mitigate attacks across all our solutions. We remain committed to the security and privacy of customer information. Please visit the Nuance Trust Center to learn how we approach and manage security, privacy, and compliance.
As the Log4j2 investigation progresses, Nuance will update the table below frequently with the most current information about Nuance-specific product source code and available remediation or mitigation. If you do not see a specific product of interest, then that product is still under investigation. Because this is an ongoing investigation, be aware that solutions currently considered not vulnerable may subsequently be considered vulnerable as additional information from third parties becomes available.
| Solution | Status |
|---|---|
| Dragon Medical One (DMO) | Not Affected |
| PowerMic Mobile (PMM) | Not Affected |
| DAX | Fixed |
| DAX Mobile | Not Affected |
| DAX Ambient Device | Not Affected |
| Saykara (Kara) | Not Affected |
| Nuance Management Server (NMS), Nuance Management Center (NMC), and Nuance Command Center (NCC) | Not Affected |
| Dragon Medical Network Edition (DMNE) | Not Affected |
| Dragon Medical Practice Edition (DMPE) | Not Affected |
| Dragon Medical Direct (DMD) | Not Affected |
| Dragon Medical Server / Dragon Medical SpeechKit | Not Affected |
| Dragon Medical Workflow Edition (DMWE) | Not Affected |
| Dragon Medical Workflow Manager (DMWM) | Not Affected |
| DMWM - HL7 Integrations | Not Affected |
| Winscribe Dictate | Not Affected |
| Dragon Medical Advisor (Inpatient Guidance, Outpatient Guidance, ED Guidance) | Not Affected |
| Dragon Medical Advisor (DMA) Analytics | Not Affected |
| Nuance Surgical CAPD | Fixed |
| Epic NoteReader | Not Affected |
| Epic NoteReader CDI | Not Affected |
| Cerner Document Quality Review (DQR) | Not Affected |
| Nuance CDE One | Fixed |
| Nuance Clintegrity CDI | Patch Available |
| Nuance CDMP Guide | Not Affected |
| Nuance Quality Measures | Not Affected |
| Nuance Performance Analytics | Fixed |
| Nuance Clintegrity Coding Solutions and Platform (Facility Coding, Physician Coding, Coding Compliance, Coding Abstracting, Enhanced Coding Workflow, Record Management, Electronic Document Management) | Patch Available |
| Nuance Clintegrity Claims Editor (CCE) | Not Affected |
| Nuance Quality Management | Not Affected |
| JATA CDI DataMart | Not Affected |
| Nuance VA CDI Pro | Patch Available |
| Nuance VA VERA Analyzer | Patch Available |
| PowerScribe 360 Reporting | Not Affected |
| PowerScribe 360 Mobile Clinician | Not Affected |
| PowerScribe 360 Mobile Radiologist | Not Affected |
| PowerScribe One (On-Prem) | Not Affected |
| PowerScribe One Essentials | Not Affected |
| PowerScribe Advanced Data Integration with ModLink | Not Affected |
| PowerScribe Follow-Up Manager | Not Affected |
| PowerScribe Lung Cancer Screening | Not Affected |
| PowerScribe Workflow Orchestration | Not Affected |
| PowerScribe Protocolling | Not Affected |
| PowerShare | Fixed |
| PowerShare Mobile | Not Affected |
| mPower (Cloud) | Not Affected |
| mPower (On Prem) | Not Affected |
| PowerConnect Actionable Findings | Not Affected |
| PowerConnect Call Manager | Not Affected |
| PowerConnect Communicator | Not Affected |
| PowerConnect ED Workflow | Not Affected |
| PowerConnect Peer Campaigns | Not Affected |
| PowerConnect Peer Learning | Not Affected |
| PowerConnect Resident Feedback | Not Affected |
| PowerConnect Teaching Files | Not Affected |
| PowerConnect Tech QA | Not Affected |
| PowerConnect Virtual Consult | Not Affected |
| Primordial First Gen/Innovator/Legacy/Next Gen | Not Affected |
| Nuance RadMetrix | Not Affected |
| Nuance AI Marketplace | Not Affected |
| Nuance Healthcare Development Platform (NHDP) | Not Affected |
| SpeechMagic 7 | Fixed |
| SpeechMagic 8 | Fixed |
As of [10:30AM Eastern] February 1, 2022, Nuance is adhering to current guidance from The Apache Software Foundation about the critical remote code execution vulnerability (CVE-2021-44228 and CVE-2021-45046) affecting multiple Log4j2 versions.
| Solution | Status |
|---|---|
| Nuance Cloud IVR | Fixed |
| Conversational AI Services | Fixed |
| Dragon TV | Fixed |
| DTVaaS | Fixed |
| Nuance Gatekeeper v1 | Not Affected |
| Nuance Mix | Fixed |
| Nuance Call Steering Portal | Not Affected |
| Nuance Enterprise Access Management | Fixed |
| Nuance Virtual Assistant | Fixed |
| NINA (NINA Web Virtual Assistant) | Fixed |
| Nuance Live Assist | Fixed |
| Nuance Agent Coach | Fixed |
| Nuance Proactive Engagement | Not Affected |
| Nuance Insights | Fixed |
| Nuance Insights for Hosted IVR | Not Affected |
| On Demand Insight | Not Affected |
| Nuance Experience Studio (NES) | Fixed |
| Secure Tuning Environment (STE) | Fixed |
| Swype Connect | Not Affected |
| Voicemail To Text (V2T) | Not Affected |
| Nuance Mobile Care (NMC) | Fixed |
Enterprise On-Premise
| Solution | Status |
|---|---|
| Conversational AI Dialog Service | Patch Available |
| Nuance Adaptive Grammar Engine 6.1 | Not Affected |
| Nuance Dialog Modules 6.1 | Not Affected |
| Nuance License Manager 11.16.5 | Not Affected |
| Nuance Management Station 5.2 | Not Affected |
| Nuance Meaning Extraction Engine 6.2 | Not Affected |
| Nuance Recognizer 10.2 | Not Affected |
| Nuance Speech Server 6.2 | Not Affected |
| Nuance Speech Suite Platform Add-on 6.0.4 and earlier | Not Affected |
| Nuance Speech Suite Platform Add-on 6.0.5 and later | Patch Available |
| Nuance Speech Suite 11 (without Management Station, Dragon Voice) | Not Affected |
| Nuance Speech Suite 11.0.7 and later (with Management Station and/or Dragon Voice) | Patch Available |
| Nuance Speech Suite 10.5 | Not Affected |
| Nuance Speech Suite Mix VoiceXML Connector 1.0 and 1.1 | Patch Available |
| Nuance Tune 3.0 | Not Affected |
| Nuance Transcription Engine 4 (NTE4) | Not Affected |
| Nuance Vocalizer for Enterprise 7.x, 20.x, and 21.x | Not Affected |
| Nuance Vocalizer for Enterprise 5.7, 6.0, 6.2, and 6.5 | Not Affected |
| Nuance Vocalizer Studio and Nuance Vocalizer Expressive Studio (all versions) | Not Affected |
| Nuance Voice Platform 5.5 and earlier | Not Affected |
| Security Suite 10 | Not Affected |
| Security Suite 11 | Not Affected |
| Security Suite 12 | Not Affected |
| Solution | Status |
|---|---|
| Dragon Professional Anywhere (DPA) | Not Affected |
| Dragon Anywhere Mobile | Not Affected |
| Dragon Professional Group (DPG) | Not Affected |
| Dragon Professional Individual (DPI) | Not Affected |
| Dragon Law Enforcement (DLE) | Not Affected |
| Dragon Legal Anywhere (DLA) | Not Affected |
| Dragon Legal Group (DLG) | Not Affected |
| Dragon Legal Individual (DLI) | Not Affected |
| Dragon Home | Not Affected |
| Dragon Client SDK | Not Affected |
| Dragon Server SDK | Not Affected |
LEGAL DISCLAIMER
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. NUANCE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. NUANCE EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Nuance products.