Cloudwards.net may earn a small commission from some purchases made through our site. However, any affiliate earnings do not affect how we review services.

Can VPNs Help Protect Against the Log4j Zero-Day Security Flaw in 2022?

The world has been shook up by a massive cyberattack exploiting the log4j or log4shell zero-day flaw. VPNs are riding to the rescue with a temporary fix, but will it work?

Fergus O'Sullivan
By Fergus O'Sullivan (Writer, Former Chief Editor)
— Last Updated: 2021-12-18T06:13:54+00:00

Every admin or network tech in the world is right now working hard to help contain the damage caused by the log4j vulnerability. Several VPNs have also come forward, offering updates to their clients that should help keep hackers at bay while you patch your servers. How do these fixes work, though, and are they even effective?

The answers are a little complicated, as they always are when it comes to tech, but in short, yes, VPNs can help a little on servers left vulnerable by the log4j flaw. 

Key Takeaways:

  • Several VPNs have developed a temporary solution for anybody worried about having been exposed to the log4j flaw.
  • Independent cybersecurity firms agree on paper that the VPNs’ outlined approach could work.
  • This is by no means a fix to any vulnerability; it only serves to sever hackers’ lines of communication.
  • To get rid of any issues permanently, companies will need to patch any servers running the compromised applications.

The three VPN services we know of that are currently offering this protection are PIA, CyberGhost and our favorite VPN service out there, ExpressVPN.

All three are firmly ranked high in our roundup of the best VPN services, so they’re worth your while even without any protection against log4j. To see how they achieve it, though, we’re going to have to take a look at what log4j is and how it works.

  • Log4j is a Java library used by Apache, a popular piece of server software.

  • A flaw was found inside the log4j library that makes it easy for hackers to attack servers running Java-based applications.

  • The first exploits were noticed on December 1, 2021.

What Is Log4j?

A lot has been written about log4j and how it works, so we won’t reinvent the wheel here and instead just go over the main points. Early December 2021 a flaw was discovered in a library — a repository of coding shortcuts — used by the Apache server software, one of the most widely distributed of its kind; W3Techs estimates that almost one-third of websites run Apache.

Not only do a lot of sites use Apache, many of them use the flawed library, named 4logj — hence the name. This means that if your servers run certain applications that use that library, you’re almost certain to have been affected by the flaw.

How Does Log4j Work?

The log4j vulnerability — also called log4shell or CVE-2021-44228 — makes it so a hacker can insert a line of code into the library that tells it to pick up data from another server, one controlled by the hacker. The Malwarebytes blog has a lot more technical detail for those interested.

This means that all kinds of nastiness can be loaded onto a server, from programs that help crypto miners enslave systems, to programs that steal user data. To make things worse, it’s pretty easy to do, too, so there’s no real barrier to entry for the ill-intentioned.

On top of that, log4j is a so-called zero-day vulnerability, meaning hackers discovered it before anybody else did, so many systems were likely compromised before a patch was rolled out.

Who Is Affected by Log4j?

The log4j issue is a mess, there’s no two ways about it. However, it should be noted that it’s mostly a server side issue. If you’re not running a server — and if you’re not sure whether you are, good news: you’re not — then the chances are slim your devices are affected by it.

What may affect you is if your data is on the servers that have been hijacked. However, most services will encrypt your data when it’s stored online, so hopefully you won’t experience any ill effects yourself from this whole kerfuffle.

How VPNs Block Log4j Exploits

Ever since the log4j flaw was discovered, admins and security experts everywhere have been working around the clock to patch the issue in the library and roll out the patches. We can only imagine how stressful it must have been.

However, even when patched, issues may remain on servers, and of course not all affected systems have been updated yet. There are, thankfully, a few ways to prevent hackers getting access to servers and, even if breached, to stop them from communicating.

One of the more interesting was advertised by ExpressVPN, PIA and CyberGhost, all VPNs owned by Kape Technologies. All three use the same approach as far as we can tell, described best in this ExpressVPN blog post.

ExpressVPN was one of a few VPNs to offer protection to users for the log4j flaw.

Here’s the strategy: Compromised communication runs over the LDAP networking protocol, and by blocking certain ports (where information flows out onto the internet), hackers can be prevented from sending data from a server.

According to an email from Secmentis, a cybersecurity firm, this approach could work, though the message did emphasize that the company didn’t test it themselves. They did note, also, that this method probably won’t work too well for corporate environments because blocking LDAP traffic isn’t always feasible in those cases.

As such, this fix is most usable for individuals — so the people who need it least — but it is good to know that if you do see suspicious activity on your devices or routers, you can just switch on your VPN.

Other Ways to Block Log4j Traffic

Alternatively, instead of using a VPN, you can also block LDAP traffic yourself. As ExpressVPN itself mentions in its blog post, this traffic runs through the ports RMI 1099 and LDAP 389, 636, 1389, 3268, 3269. Instructions can be found here.

Final Thoughts

Though having and using a VPN is always a pretty good idea, you don’t really need one if you’re worried about the log4j flaw. For one, if you’re not using a server, you should be fine, and secondly you could always close the ports yourself.

However, as mentioned by these VPN services themselves, this is by no means a fix for any log4j vulnerabilities, they’re a stop-gap solution at best. To truly fix any issues anyone with an affected server should patch the system and purge it from anything possible left by hackers. It’s the only way to be sure your server is safe.

Have you fallen victim to hackers exploiting the log4j flaw? Are you worried you might be? What do you think of VPNs jumping into the breach? Leave your thoughts and questions in the comments below and, as always, thank you for reading.

[class^="wpforms-"]
[class^="wpforms-"]