CVE-2021-44228 - log4j - 1Password vulnerable?

Hi all

Is the vulnerable log4j library in use by 1Password - can a 1Password employee please issue a statement on potential exposure / review.

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Butcha
    Butcha
    Community Member

    I was also looking for information from 1Password for this but was unable to find anything from the publicly available sources. Since this is probably the most critical vulnerability of the decade I am expecting some kind of statement from 1Password on this along with an advisory.

  • Zenistar
    Zenistar
    Community Member

    I have also mailed the support team asking for confirmation.

  • Detus
    Detus
    Community Member

    We also need to know what the exposure is as part of our vulnerability assessment. I have also emailed their support for an update, hopefully they will issue something.

  • KeySurfer
    KeySurfer
    Community Member

    Hi, did anyone have an answer to this? I'm also doing a vulnerability assessment for the business and didn't want to send another email?

  • Zenistar
    Zenistar
    Community Member

    I received a response from 1password support a short while ago:

    Hi Adrian
    Thanks for getting in touch with us regarding the vulnerability.
    1Password's product stack generally does not use Java or the Java runtime, and therefore is not affected by this issue. In places where we must use Java technology - such as in our Android app - we do not use Log4j. As a result, the attack surface for this issue amongst 1Password's application stack is very limited.
    Like any organization, 1Password does use a small number of internal tools and services that use Java and Log4j. We have reviewed these tools and services and have identified mitigating factors that were currently preventing these systems from being exploited by this issue. We are working on rolling out further mitigations and vendor updates to these systems as appropriate to eliminate any residual risk in these areas.
    Please let us know should you have any further questions - we'd be happy to help
    Thank you
    Connor Smith

  • paulpharr
    paulpharr
    Community Member

    Thanks 1Password - that's exactly what we were hoping you'd say!

  • KeySurfer
    KeySurfer
    Community Member

    Thats brilliant, thanks for sharing Zenistar.
    Totally understand they are trying to track other software on their system that uses it, as we all are at present :-). Good to know the service isn't affected directly however.
    Thanks again.

  • Hey folks,

    Thanks for reaching out about this! To add on to what my colleague Connor mentioned in @Zenistar's quote, the other thing we'd recommend is staying up-to-date on your software. Please let us know if you have further questions!

    Jack

  • JasonRH
    JasonRH
    Community Member

    Why isn't there a simple statement or FAQ on the website support page about this

  • Hi @JasonRH

    We've just published a knowledge base article on the subject. You can find it here:

    https://support.1password.com/kb/202112/

    We're also working on getting our situation added to the CISA Github repo: https://github.com/cisagov/log4j-affected-db/pull/266. It looks like that merged, so we should be listed. 🤞

    Ben

This discussion has been closed.