Nuance’s security response

Response to Apache Log4j2 vulnerability

Updated January 20, 2022

Summary

Nuance is adhering to current guidance, at this time, from The Apache Software Foundation about the critical remote code execution vulnerabilities affecting multiple Log4j2 versions. The Nuance Security Intelligence and Operations team promptly updated our security systems to automatically detect and block attempted exploitation of this vulnerability and will continue to proceed at a heightened readiness.

Currently, Nuance is not aware of any impact to the security of our solutions and has not experienced any degradation in the availability of those solutions, as a result of the Log4j2 vulnerability.

We continue to work with our security partners and the intelligence community to keep our systems up to date with the latest information and protection. The Nuance Cyber Fusion Center is working with our development and IT teams to identify and update Nuance systems to remove the risk posed by this vulnerability.

As we and the industry at large continue to gain a deeper understanding of the impact of this threat, we will continue to publish information to help customers detect, investigate, and mitigate attacks across all our solutions. We remain committed to the security and privacy of customer information. Please visit the Nuance Trust Center to learn how we approach and manage security, privacy, and compliance.

As the Log4j2 investigation progresses, Nuance will update the table below frequently with the most current information about Nuance-specific product source code and available remediation or mitigation. If you do not see a specific product of interest, then that product is still under investigation. Because this is an ongoing investigation, be aware that solutions currently considered not vulnerable may subsequently be considered vulnerable as additional information from third parties becomes available.