This post was originally published on December 14, 2021.
ExpressVPN has identified and rolled out a protective layer for the Log4j vulnerability known as Log4Shell. All ExpressVPN users now benefit from this protection—all it takes is turning on the VPN.
The critical zero-day vulnerability (CVE-2021-44228) has been wreaking havoc across the internet, in a scenario that Wired has called “a full-blown security meltdown.” A live exploit has already been demonstrated in Minecraft—and an extensive list of services and companies has been identified as vulnerable, including Apple’s iCloud, Steam, Amazon, Tesla, and Twitter.
This new layer of protection was implemented at 09:30 GMT, December 14, 2021, and is live across all ExpressVPN VPN servers worldwide. This means that everyone using ExpressVPN on their devices or router enjoys protection from the Apache Log4j vulnerability. This mitigation is server-side, so no action from users is required.
Peter Membrey, Chief Architect, ExpressVPN, says: “While this vulnerability has not affected us directly and the security of our company systems is intact, we were not content to sit and watch this impact the world. Many of the apps and services our customers rely on are being affected. Given that LDAP is a networking protocol, we saw an opportunity for us as a VPN to provide an essential layer of protection against this vulnerability.
“Furthermore, while the focus on the risks posed by Log4Shell have been mostly focused on server infrastructure, the fact is that Log4j is also used in many client applications as well, and consumers are vulnerable.
“We identified Log4Shell as an LDAP- and Java RMI-reliant vulnerability, so there were two potential paths for overcoming it: port-based blocking and packet-based blocking. We implemented the port-based blocking solution immediately as it was the fastest solution to bring to market, and responding at speed was crucial to minimize the impact of this vulnerability globally. However, we will continue to work on the packet-based approach and plan to roll it out as soon as it is ready and we are confident we can do it client-side with no negative privacy impacts.”
Log4j vulnerability protection, not a fix
“To be clear, this is not a silver bullet, but it will make a significant impact on protecting internet users,” says Membrey. “The nature of this vulnerability means that just being cybersecurity-savvy won’t protect you from it—especially if you use platforms that allow chat, like Minecraft, or other gaming or social platforms.”
Additional measures to protect yourself
Aside from turning on your VPN for all internet connections, internet users are recommended to:
- Update your firewall settings to block outbound traffic on non-standard ports that you wouldn’t typically use, particularly on those known to be used by Log4Shell (RMI – 1099, LDAP – 389, 636, 1389, 3268, 3269, or other).
- Turn on auto-updates for your applications or update them manually if a security patch is made available.
- Continue checking as additional solutions and mitigations are identified, as the security community’s understanding of this vulnerability and its exploits is evolving. We’ll keep updating this blog post with our recommendations as we learn more.
What ExpressVPN is doing internally to counter this threat
We have proactively verified that our codebase is either sufficiently patched or not vulnerable. Separately, we’ve taken additional steps and measures to push extended security measures across our network appliances and employee workstations to prevent the vulnerability from working. We are actively monitoring the situation and leveraging threat intelligence sources to proactively monitor our estate for signs of intrusions as a result of this vulnerability and are keeping a close eye on all newly discovered software and hardware that might be impacted by this.
Log4Shell has been given a severity rating of 10.0 out of 10.0 and been called “the bug that’s breaking the internet.”
Key to its significance is the fact that it affects Log4j, which is ubiquitous in internet infrastructure. As a result, it seems that virtually every major service using Java, as well as many apps, is vulnerable in some way.
Furthermore, Log4Shell attacks can be executed easily without the victim clicking any link, pressing any key, or otherwise taking any action. For example, the exploit demonstrated in the popular game Minecraft simply required the malicious actor to input a message into a chat box to gain access to Minecraft’s servers.
With each passing day, more and more apps and services will be at risk of being exploited, including many that our customers are using. The massive scale of this vulnerability only underlines how important it is to find an effective fix quickly.
Take the first step to protect yourself online
30-day money-back guarantee
I want to use ExpressVPN without App in my iPhone, because in my country, there is no ExpressVPN: VPN Fast Proxy in App Store.
Hi – here is a tutorial on how to get the ExpressVPN app if it’s not in your country’s App Store: https://www.expressvpn.com/support/troubleshooting/change-app-store-country/
During 10-DEC-2019 ~ 16-DEC-2021 I looked up at the monitor. MS was installing an update with no warning.
Edge crashed each day after that update. ???? wtf?
16-DEC-2021 Norton 360 antivirus did another crappy patch and killed the computer. It would not boot to the desktop. The behavior was unlike the previous 9 times Norton put out a patch and ruined my life for 4 days. This rig is stock Acer WIN 10.
Three days later I heard about the Log4J.
YaY, this has been fun, and now I am unsure who the enemy is.
I need some help I think my phone might be getting hacked locally can you guys help me out in any way ?
A few months ago I was targeted (for 3 years actually) but this was pure evil. They shut down my phone, devices and also took my icloud. I still haven’t gotten my devices or my icloud back. They cloned my iPhone and took my emails and are in control over all of my apps. Even as far as my home. They (whoever they are) were watching me leave and coming into my home. I was in my last semester in college and I couldn’t even do but three assignments. The semester prior, they erased my essays as I turned them into canvas. I’ve been dealing with gangstalking for several years. They even went as far as frying my battery and alternator, 6 times in a row. I have a good idea as to who these agencies are who are trying to make my life a living he’ll. I guess they don’t know what I’m made of. 🤷
thank you for this comment, i have been experience gang stalking for a year now and did not even realize it.it was extremely hard at first with my limited computer knowledge but its getting easier now. always good to hear other people who have been conquering this.
You guys blow proton and everyone else out there b after when it comes to the VPN game and I love how simple your user interface is too….!!!!!
I’ve been with you guys for years. The trip has been great. Thanks for being the kind of humans we aspire to. Fascism is a disease of the spirit and soul that manifests in dictators, violence, and malware. Thanks for being here. Your work is vital.
Tech Support. I have tanew Macbook Pro 16 Max with 32G Ram. ExpressVPN was working well until I updated to the latest MacOS 12.1. Now Express VPN refuses to connect by Ethernet to all EXPv servers. However, all of my other apps, Chrome and Safari is connected to the same ethernet on my computer and working. So it is not my Macbook Pro. Apple has confirmed that the computer is working and connected to the interne. Apple will not give advice if it is a 3rd party software and has referred me to EXPvp tech support. I worked an hour with your EXPvp online support to no avail and sent a photo of EXPvp app not connecting to any of your servers. Apple suggested that EXPv software is not working with the new macOS Monterey 12.1 update. This is my ticket # 17711017
Hi – have you tried reinstalling the app? ExpressVPN works on macOS 12.1 (Monterey). Please try removing the app, downloading it again, and installing again.
Why in the name of all that is holly are you asking for tech support in a blog when expressVPN has 24/7 chat support that get with you within the worst I have seen is 5 minutes.
Been here since 2018, and loving it ;). Always brings me joy to know you guys are buffing up my security, thanks all and happy holidays 😉 ^^,
lots of love and hugs from Iceland.
Thank you for using your skills and knowledge FOR THE POSITIVE!!!!
I been with you for a while and makes me feel safe, specially under this new threat to our security. I know you got this. Thank you.
I just purchased a month subscription , do not know how to start it up and use it . Detailed instructions please .
First download our app to your device. You can do that here: https://www.expressvpn.com/setup
Then simply open the app and press the “on” button. You’re now using the VPN. For more information on various settings: https://www.expressvpn.com/support/vpn-setup/
its not connected
Just read about the Log4Shell, it sounds really serious, glad we have you on our side, everything crossed, let’s hope your team can come up with a fix,
I set up an account for 7 day free trial. I want to cancel that set up and subscription now.
It depends on what type of free trial you are on.
To cancel a free trial from Apple’s App Store: https://www.expressvpn.com/support/troubleshooting/ios-in-app-purchases/#cancel
To cancel a free trial from the Google Play Store: https://www.expressvpn.com/support/troubleshooting/play-store-subscriptions/#cancel
Please contact Support via live chat or email if you need more help.