ExpressVPN Announces Protection for the Log4Shell Vulnerability

ExpressVPN Patch for Log4Shell

The race to patch systems against the recently uncovered Log4Shell vulnerability is on and ExpressVPN has joined in on the race. Today, ExpressVPN announced the rollout of a new level of protection against the Log4Shell vulnerability to help protect their customers. The best part is, there’s nothing for current customers to do to take advantage of the protection. They simply have to turn on their VPN.

“While this vulnerability has not affected us directly and the security of our company systems is intact, we were not content to sit and watch this impact the world. Many of the sites and services our customers rely on are being affected. Given that LDAP is a networking protocol, we saw an opportunity for us as a VPN to provide an essential layer of protection against this vulnerability.” Peter Membrey, Chief Architect of ExpressVPN, says:

What Is Log4Shell?

Log4Shell is a critical zero-day remote code execution exploitation in versions of Log4j, an open-source Java logging library that is widely used in programs such as online games, large enterprise software, and even entire cloud data centers. The attack is executed without the victim clicking any link, pressing any key, or otherwise taking any action.

Log4Shell (or CVE-2021-44228) has a maximum severity rating of 10.0. This means that hackers can take full control of a vulnerable system remotely without any actual interaction with the victim. It’s easy and fast, not requiring much skill.

It is called a zero-day vulnerability because companies have zero days to fix the issue before the damage is done by hackers. The exploitation has been found in Minecraft and large companies, including Apple’s iCloud, Steam, Amazon, Tesla, and Twitter have been identified as vulnerable.

How Is ExpressVPN Addressing Log4Shell?

ExpressVPN’s team identified that Log4Shell is an “LDAP and Java REMI-reliant vulnerability.” They decided to implement a port-based blocking solution since it was the fastest option to deploy and still be effective. At 9:30 GMT, December 14, 2021, ExpressVPN’s new layer of protection went live across all of the company’s VPN servers worldwide. The company did state that they will continue to work on the more extensive solution, a packet-based approach, and would roll it out as soon as it was ready. ExpressVPN wants to make it clear that this is not a complete fix for the issue.

“To be clear, this is not a silver bullet, but it will make a significant impact on protecting internet users,” says Membrey.

For more information about ExpressVPN and how its VPN service can help protect your information, read our ExpressVPN Review.

Security research coordinator
Kat is an IT security business consultant with experience in project management, process development, and leadership. She coordinates our team's research efforts in the field of cybersecurity, privacy, and censorship.