LogoLogo
  • Plum Voice Docs Center
  • DEV
  • Fuse
  • Insight
  • VoiceTrends
  • Blocklist
  • News & Notices
    • Important Notices
      • 10DLC Fees: T-Mobile non-use fee
      • Accessing and Using the Service Desk
      • Prioritizing Support Tickets via Email
      • 10DLC brings major changes to the way businesses use SMS
      • Plum Voice Not Vulnerable to Log4Shell (CVE-2021-44228 and CVE-2021-45046)
  • Using The Plum Voice Suite
    • 'How To' Guides
      • Using Plum’s Transcription API
      • Send SMS messages using Fuse's REST module
      • Upload an Audio Recording to Storage
      • Best Practices for Outbound Calling on the Plum Voice Platform
        • Robocalling, STIR/SHAKEN, and ANI
    • Use Cases
      • Adding Transcription to the Voice Channel
      • Combining SMS and Voice for better customer experiences
  • 10DLC FAQs
    • Introduction
    • Frequently asked questions
      • Throughput
      • 10DLC Fees
      • Glossary of 10DLC terms
      • 10DLC Timeline
  • Previous Email Notices
    • Main
      • Product News
      • 10DLC News
  • Quick References
    • SMS Standard Keywords
    • Best Practices for Business SMS Messaging
Powered by GitBook
On this page
  • Summary
  • Background info
  • Does Log4Shell affect:
  • Plum Voice?
  • Any of Plum Voice's 3rd-party infrastructure applications?
  • Recommendations
  • Related Information
  • Revision history
  1. News & Notices
  2. Important Notices

Plum Voice Not Vulnerable to Log4Shell (CVE-2021-44228 and CVE-2021-45046)

Last updated: 12/17/21

Summary

Plum Voice is aware of CVE-2021-44228, also referred to as "Log4Shell", a remote code execution (RCE) vulnerability in Apache Log4j (version 2). We are also aware of CVE-2021-45046, an additional vulnerability identified in Apache's emergency update to patch CVE-2021-44228.

After investigating, we believe that the Log4Shell vulnerabilities do not affect Plum Voice or any of our customer-facing, third-party production applications used to run our infrastructure.

Plum Voice has implemented all mitigation instructions provided by third party application vendors. We will continue to monitor the situation and whether any additional vendors provide guidance about their products.

Background info

Apache Log4j is a widely-used library for logging functionality in Java-based applications. On December 9th, 2021, a zero-day exploit for log4j (version 2) was discovered that allows remote code execution (RCE) by logging a certain string. Also referred to as Log4Shell, this vulnerability has since been published as CVE-2021-44228.

A second log4j vulnerability, published as CVE-2021-45046, was discovered on December 14th, 2021. An emergency update issued by Apache for CVE-2021-44228 was determined to be incomplete in certain non-default configurations, making it possible to execute denial-of-service (DOS) attacks and download data from affected servers.

Does Log4Shell affect:

Plum Voice?

No. We do not use Java internally, so any code written by Plum Voice is not vulnerable to CVE-2021-44228 or CVE-2021-45046.

Any of Plum Voice's 3rd-party infrastructure applications?

After investigation, we believe that CVE-2021-44228 and CVE-2021-45046 do not affect any of the customer-facing, third-party production applications used to run our infrastructure.

Plum Voice has implemented all mitigation instructions provided by third party application vendors. We will continue to monitor the situation and whether any additional vendors provide guidance about their products.

Recommendations

At this time, we believe that the Log4Shell vulnerabilities do not affect either Plum Voice or any of our customer-facing, third-party production applications used to run our infrastructure.

However, we still encourage customers to follow security best practices and continue to monitor this notice for any further updates.

Related Information

Revision history

  • 12/17/21: UPDATE - Added description, response to CVE-2021-45046. Added link to NVD publication on CVE-2021-45046.

  • 12/13/21: Initial posting.

Previous10DLC brings major changes to the way businesses use SMSNext'How To' Guides

Last updated 1 year ago

For any customers who write their own code, we recommend that you review your self-hosted applications on your networks that you may be using to interact with Plum Voice systems. For more info on Log4Shell, see .

Apache Log4j publication:

CVE-2021-44228 publication:

CVE-2021-45046 publication:

https://logging.apache.org/log4j/2.x/security.html
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Related Information