Private Internet Access VPN Issues Update to Protect Users Against Apache Log4j/Log4Shell Exploit

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

On December 9, 2021, a zero-day vulnerability was disclosed in the open-source Apache library in one of its Java-logging frameworks – Log4j 2, with the vulnerability being named “Log4Shell”. Cybersecurity agencies around the world are correctly calling this a massive, critical-level threat, with tech experts sounding the alarm and saying that the Log4Shell exploit is, “the single biggest, most critical vulnerability of the last decade.” 

Since the threat was disclosed, our engineers have been working around-the-clock to come up with a patch that can not only protect our users from exploits in our system but can also help protect PIA’s VPN users from the Log4j 2 vulnerability altogether.

We’ve issued an update to our VPN infrastructure that now protects all PIA users against most Log4Shell exploits while they’re connected to the VPN (but, as we’ll note in this article, it’s not a foolproof solution).

Here’s what we did: 

We’ve Blocked Traffic to the Lightweight Directory Access Protocol (LDAP) 

The Log4Shell exploit has been found to primarily use certain ports of the networking protocol LDAP. Considering that we can simply block LDAP traffic from going through our VPN, we’ve decided that not only is this a practical solution to overcome the main Log4Shell exploit, but that it’s our duty as a network-based security service to do so.  

By

Read more

Explore the site

More from the blog

Latest News