Log4j Vulnerability FAQs for LastPass
Please review important information about the Log4j vulnerability below.
What is the vulnerability?
- On Friday, December 10th, a zero-day vulnerability, affecting a widely utilized open-source logging tool, that is part of Apache Logging Services called Log4j, impacted a meaningful subset of the software industry.
- A second vulnerability involving Apache Log4j was found on Tuesday, December 14th.
- With this vulnerability, for those affected, it is possible that an attacker may be able to gain access and control the log messages or parameters of LDAP or other Java Naming Directory Interface (JNDI) and subsequently could attempt to execute code loaded from remote servers.
Is LastPass impacted?
- Upon becoming aware of the vulnerability, LastPass initiated an investigation to determine if any further action is require to mitigate against the vulnerability. This investigation, at this time, found no indication of compromise, and there is no action required for the vast majority of LastPass customers.
- As part of the investigation, our team released an update for LastPass MFA customers utilizing the Universal Proxy on Windows with Debug logging enabled and those customers are highly recommended to update the newest version of the Universal Proxy 3.0.3 or 4.1.3.
- No action is required if you are currently not a LastPass MFA customer using the Universal Proxy on Windows with Debug logging enabled.
What is the LastPass Universal Proxy?
- The LastPass Universal Proxy extends the reach of LastPass MFA to on-premises applications, such as VPNs, for an additional layer of security across every sign in.
- Please find instructions for setting up the Universal Proxy here.
Do I need to do anything?
- LastPass Free, Premium, Families, Teams, and Business customers do not need to take any action.
- LastPass MFA customers utilizing the Universal Proxy on Windows with Debug logging enabled are highly recommended to update to the newest version of the Universal Proxy 3.0.3 or 4.1.3.