- Log4Shell affects millions of applications, cloud services, and servers.
- ExpressVPN offers a way to avoid getting affected by this highly severe vulnerability.
- The VPN has a server-side approach, so existing subscribers are already protected.
Unless you’re interested in following the latest cybersecurity news, you might have missed online discussions about Log4Shell, which have started to surface online in the last couple of days. In short, Log4Shell is the name given to a zero-day vulnerability that seems to affect millions of applications, cloud services, and individual servers.
The source of the Log4Shell vulnerability is Log4j, an open-source Java logging tool. Supplied by Apache, this utility performs network lookups using the Java Naming and Directory Interface to obtain services from the Lightweight Directory Access Protocol (LDAP). As now proven by Log4Shell, Log4j can interpret a log message as a URL, which leads to executing a harmful command with the full privileges of the main program.
What’s important to mention is that Log4Shell isn’t just a vulnerability that exists in theory. It has already appeared in the wild, affecting Minecraft’s servers. So, if you need a more in-depth look at Log4Shell, we recommend turning to this Naked Security blog post.
Now, this is where ExpressVPN comes into play, being the first VPN to implement protection against the Log4Shell vulnerability. All ExpressVPN users already have access to this protective layer, which becomes active once a connection is made to any server provided by this VPN.
More precisely, ExpressVPN has turned to a port-based blocking solution, which means that this mitigation is server-side (no action from users is required). As a result, ExpressVPN’s solution should be quite effective in protecting individuals who can now continue using possibly affected services such as Apple’s iCloud, Steam, Amazon, Tesla, and Twitter (to name a few).
Here’s what Peter Membrey, ExpressVPN’s Chief Architect, had to say about the VPN’s decision to implement proactive measures against Log4Shell: “While this vulnerability has not affected us directly and the security of our company systems is intact, we were not content to sit and watch this impact the world. Many of the apps and services our customers rely on are being affected. Given that LDAP is a networking protocol, we saw an opportunity for us as a VPN to provide an essential layer of protection against this vulnerability.”
In the end, we remind you that if you’re a subscriber to ExpressVPN, there are no additional actions that you need to take against Log4Shell. Just make sure to connect to any server before you use Web-based apps.
And, of course, if you wish to protect yourself against this vulnerability (even before big-name companies start to implement fixes into their software), you can subscribe to ExpressVPN.