{"id":19386,"date":"2021-12-14T12:33:50","date_gmt":"2021-12-14T20:33:50","guid":{"rendered":"https:\/\/www.privateinternetaccess.com\/blog\/?p=19386"},"modified":"2024-01-23T22:23:53","modified_gmt":"2024-01-24T06:23:53","slug":"private-internet-access-vpn-issues-update-to-protect-users-against-apache-log4j-log4shell-exploit","status":"publish","type":"post","link":"https:\/\/www.privateinternetaccess.com\/blog\/private-internet-access-vpn-issues-update-to-protect-users-against-apache-log4j-log4shell-exploit\/","title":{"rendered":"Private Internet Access VPN Issues Update to Protect Users Against Apache Log4j\/Log4Shell Exploit"},"content":{"rendered":"\n

On\u00a0December 9, 2021, a\u00a0zero-day vulnerability\u00a0was\u00a0disclosed\u00a0in the open-source Apache library in one of its Java-logging frameworks\u00a0\u2013\u00a0Log4j\u00a02, with the vulnerability being named\u00a0\u201cLog4Shell\u201d.\u00a0Cybersecurity agencies around the world are correctly calling this a massive, critical-level\u00a0threat,\u00a0with\u00a0tech\u00a0experts\u00a0sounding the alarm\u00a0and\u00a0saying\u00a0that\u00a0the Log4Shell exploit is,\u00a0\u201cthe single biggest, most critical vulnerability of the last decade.<\/a>\u201d\u00a0<\/p>\n\n\n\n

Since the threat was\u00a0disclosed,\u00a0our\u00a0engineers\u00a0have been working\u00a0around-the-clock\u00a0to\u00a0come up with\u00a0a patch\u00a0that can not only protect\u00a0our\u00a0users from exploits in our system but can\u00a0also\u00a0help\u00a0protect\u00a0PIA\u2019s VPN\u00a0users from the Log4j 2 vulnerability altogether. <\/p>\n\n\n\n

We\u2019ve issued an update to our VPN infrastructure that now protects all PIA users against most Log4Shell exploits while they\u2019re connected to the VPN (but, as we\u2019ll note in this article, it\u2019s not a foolproof solution). <\/strong><\/p>\n\n\n\n

Here\u2019s\u00a0what we did:\u00a0<\/p>\n\n\n\n

We\u2019ve\u00a0Blocked\u00a0Traffic to\u00a0the Lightweight Directory Access Protocol (LDAP)<\/strong>\u00a0<\/h2>\n\n\n\n

The\u00a0Log4Shell\u00a0exploit has been found to\u00a0primarily\u00a0use\u00a0certain ports of the\u00a0networking protocol LDAP.\u00a0Considering that we can simply block\u00a0LDAP traffic from going through our VPN,\u00a0we\u2019ve\u00a0decided that not only is this a practical solution to overcome\u00a0the main\u00a0Log4Shell exploit, but that\u00a0it\u2019s\u00a0our duty as a network-based\u00a0security service to do so.\u00a0\u00a0<\/p>\n\n\n\n

By blocking LDAP traffic, an\u00a0attacker\u00a0can no\u00a0longer\u00a0force your device to\u00a0connect\u00a0to a suspicious LDAP\u00a0server and load the\u00a0malicious\u00a0code\u00a0used in\u00a0the\u00a0exploit.\u00a0To achieve this,\u00a0we\u2019ve\u00a0implemented firewalls across\u00a0all of\u00a0our VPN servers that block certain\u00a0LDAP ports known to be used in the attacks.\u00a0\u00a0<\/p>\n\n\n\n

This effectively blocks\u00a0most\u00a0Log4Shell\u00a0exploits\u00a0at\u00a0the network level,\u00a0ensuring that no malicious\u00a0code\u00a0can\u00a0be sent via\u00a0these\u00a0attack vectors.\u00a0<\/p>\n\n\n\n

This is not a foolproof, long-term solution, and you should focus on upgrading any Java application that you are currently using on your device\u00a0for complete Log4Shell protection. For a full list of vulnerable applications, go here<\/a>.\u00a0<\/p>\n\n\n\n

In short: Simply connecting to PIA\u2019s VPN\u00a0now\u00a0protects against the main way hackers exploit\u00a0the Log4j\/Log4Shell vulnerability.<\/strong><\/span><\/p>\n\n\n\n

We\u2019ve\u00a0Also\u00a0Identified &\u00a0Taken Extra Security Measures\u00a0to Guarantee Internal\u00a0Safety<\/strong>\u00a0<\/h2>\n\n\n\n

While it needs to be noted that at no point is\/was any user data threatened or compromised,\u00a0we\u2019ve\u00a0taken extra security measures to make sure our\u00a0internal\u00a0systems stay rock solid.\u00a0\u00a0<\/p>\n\n\n\n

Specifically, we\u2019ve:\u00a0<\/p>\n\n\n\n