nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Log4j Vulnerability

russellyates comcastcom

Please post all information regarding the Log4j Vulnerability and how itcould impact LastPass users here.

I'm just an LP user, not a moderator or employee. I couldn't find anything on the Last Pass site / support forums regarding the 0 day Log4j Vulnerability, so I created this thread. Thank you

Find more posts tagged with

Accepted answers

ash.canon

Hi@"ryates88"

On Friday, December 10th,azero-dayvulnerabilityaffecting a widely utilizedopen-source loggingtoolthat is part of Apache LoggingServicesimpacted a meaningful subset ofthe software industry.The security of our services and customer data is a top priority for LogMeIn and we are taking this matter very seriously.

Upon becoming aware of the vulnerability, LogMeIn initiated an investigation to determine if any further action is required tomitigate againstthe vulnerability. This investigation, at this time, found no indication of compromise and there is no action required for the vast majority of LastPass customers.

As part of the investigation, our team released an update for LastPass MFA customers utilizing the Universal Proxy on Windows and has enabled the Debug logging level for that tool are highly recommended to update to the newest version of the Universal Proxy 3.1 or 4.1.1.No action is required if you are currently not a LastPass MFA customer using the Universal Proxy on Windows. For more information about this, please visit our Support site.

We will continue to monitor for the latest information regarding this issue with Apache to keep our software and customers safe and secure.

(updated 12/13/21 GlennD)

All comments

Ronny Raschkowan | CORE

Dear AshC,

Thank you for your answer.

You mentioned that LogMeIn initiated an investigation if any further action is required to mitigate against the vulnerability. From the LastPass page alone, I saw credits to the Log4J community, so I assume that the library is being used within LastPass.

Is there any FAQ oder status page planned to update your community about this CVE?

Has the investigation already been completed?

Thanks and best

Ronny

glenn.dobson

Hi@"donron7", LastPass is unaffected. We will update this post if anything new comes to light.

ash.canon

Hi@"ryates88"

On Friday, December 10th,azero-dayvulnerabilityaffecting a widely utilizedopen-source loggingtoolthat is part of Apache LoggingServicesimpacted a meaningful subset ofthe software industry.The security of our services and customer data is a top priority for LogMeIn and we are taking this matter very seriously.

Upon becoming aware of the vulnerability, LogMeIn initiated an investigation to determine if any further action is required tomitigate againstthe vulnerability. This investigation, at this time, found no indication of compromise and there is no action required for the vast majority of LastPass customers.

As part of the investigation, our team released an update for LastPass MFA customers utilizing the Universal Proxy on Windows and has enabled the Debug logging level for that tool are highly recommended to update to the newest version of the Universal Proxy 3.1 or 4.1.1.No action is required if you are currently not a LastPass MFA customer using the Universal Proxy on Windows. For more information about this, please visit our Support site.