The bottom line
Neither 1Password nor Agilebits internal systems were vulnerable to the recent (December, 2021) vulnerabilities found in Log4j.
Initial response
As soon as the news broke of Log4j (CVE-2021-44228), our teams began reviewing our exposure. The good news is that we don’t use Java for the majority of our products and where we do use Java, for example in 1Password for Android, we don’t use Log4j. That means our products are not affected by this across the board.
Like most organizations, we run internal tools and services that do use Java and Log4j. We reviewed each of these services, and our review indicated that they were not directly exploitable. Although not directly exploitable, we’ve rolled out further mitigations and patches as they’ve become available to eliminate any concerns.
Continued dilligence
The original Log4j vulnerability was quickly followed by two related vulnerabilities, CVE-2021-45046 and CVE-2021-45105. Our products are not affected by these vulnerabilities either, as Log4j is not used in our products. We have reviewed and addressed these as appropriate in our internal tools.
Reducing exposure
As a matter of good practice, we work to eliminate or severely reduce paths in which adversary controlled content can be passed to subsystems, such as logging. This practice reduces our exposure even if we had been using vulnerable software.