In the last few days there were a number of alarming headlines about the Log4J Shell exploit. Those headlines, understandably, caused considerable concern for security teams around the world, including here at OpenVPN.
While many companies dealt with questions from their customers, we were no different. Support tickets came flooding in from concerned customers who use our commercial software security solutions OpenVPN Cloud and Access Server.
“We’re happy to confirm our products are not affected by the Log4Shell exploit,” says Robert Weiss, Head of Information Security at OpenVPN.
Our self-hosted solution Access Server does not use Java and is therefore not affected by Log4j. No patching or updates are needed by users. Same goes for our cloud based solution, OpenVPN Cloud. No patches are needed to protect against Log4j exploits with either of our products.
The Log4j library is widely used and easily exploited. “The Log4j vulnerability shows that even executing daily security hygiene would not have been enough to protect you. Organizations need to have a capability to monitor, detect and respond to threats and incidents,” explains Weiss.
OpenVPN Cloud users can use the Cyber Shield feature to detect and block traffic trying to exploit the Log4j vulnerability. Cyber Shield Traffic Filtering, when configured to block the Vulnerabilities/Exploits threat category or all Critical and High severity threats, will protect all traffic transiting through OpenVPN Cloud against Log4j (CVE-2021-44228) vulnerability. You can learn more about Cyber Shield and how to configure it here.
“Everyone inherits risk from the organizations they work with and the software they deploy. It is a shared responsibility and we need to protect and secure the whole ecosystem,” says Weiss.
Here’s the latest on the Log4Shell exploit:
What is the Log4Shell Exploit?
The Apache Log4J2 vulnerability, more commonly known as “Log4Shell” or “Log4j”, can be exploited to take remote control of vulnerable systems. The exploit originally appeared on sites hosting Minecraft servers. According to the United States Cybersecurity and Infrastructure Security Agency (CISA), “The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.”
Who is affected by Log4Shell?
We are in no way downplaying the severity of this threat. As reported on Security Boulevard, “... as most of twitter and security experts are saying: this vulnerability is bad. Real bad. A lot of prominent websites run this logger.”
If you’re reading this you’re likely an OpenVPN customer; we want to assure you that our commercial solutions have not been impacted.