February 8, 2023

Volume XIII, Number 39


February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

New Zero-Day Vulnerability for Log4j is the Next Cybersecurity Nightmare

On December 10, 2021, multiple media outlets, the Cybersecurity and Infrastructure Security Administration (CISA), and the director of cybersecurity at the National Security Agency (NSA) began alerting to a significant vulnerability in an open source Apache logging library called “Log4j.” According to multiple sources, software has been publicly released that exploits this vulnerability and allows an attacker to gain full control of affected servers. Log4j is widely used and will take some time to patch and remediate, making many corporate systems and cloud environments vulnerable to attack.


Apache Log4j is a java-based logging utility that is incorporated into numerous frameworks and applications, and used by many major cloud services. On December 6, 2021, Apache announced version 2.15.0 of Log4j, noting that it corrects a critical remote code execution vulnerability, CVE-2021-44228. On December 9, 2021, several cybersecurity- and technical-focused media outlets began reporting that the vulnerability was being actively exploited and could result in a full system takeover.

The seriousness of the vulnerability combined with the widespread adoption of Log4j has resulted in alerts from CISA and the NSA. NSA Cybersecurity Director Rob Joyce tweeted that “[t]he log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA.” Joyce also noted that this vulnerability underscores the need for increased adoption of software bill-of-materials (BOM) practices.

Practical Next Steps

Companies will need to work quickly to assess whether, and to what extent, they or their service providers are using Log4j. The following are questions and considerations for corporate counsel:

  • Are we at risk? Ask IT and security personnel whether any software used in the company’s environment uses Log4j. In particular, inquire whether the company uses the vulnerable version of Apache.

  • Do our products use Log4j? Your company’s software products may use Log4j. If so, assess the exposure and establish a plan for upgrading to the latest safe version. Your customers will likely be asking, and you should have a response.

  • Ask your service providers whether their products or environment use Log4j. If so, ask whether they have patched to the latest version of Log4j, and have them provide a patch road map if they haven’t patched already.

  • Ready your incident response team and confirm that after-hours contact information for your incident response team is up to date.

  • Confirm your security operations are monitoring Internet-facing systems for indicators of compromise and are prepared to execute your incident response plan.

  • Some public threat intel outlets have identified malicious IP addresses that are actively scanning Internet-facing systems for this vulnerability. Consider blacklisting those malicious IPs.

  • If patching is not an immediate option, consider other containment measures to limit the potential impact of this vulnerability (e.g., sandboxing, air gapping, taking offline).

  • Finally, if involved in a corporate acquisition, query the target entity with similar steps and questions as outlined above, and evaluate the risk accordingly.


© 2023 McDermott Will & EmeryNational Law Review, Volume XI, Number 344

About this Author


Todd S. McClelland advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions. Todd counsels clients in many industries, including payment processors, cybersecurity product providers, retailers, petro companies, financial institutions and traditional brick-and-mortar companies.

Prior to his legal career, Todd was an engineer designing and programming industrial control, robotics and automation systems. This background gives him unique perspective and...

David Saunders Cybbersec Attorney McDermott Will Emery Law Firm

David P. Saunders (CIPP/US, CIPM) is an experienced litigator who focuses his practice on privacy and cybersecurity matters. David helps clients mitigate and manage risks related to data privacy and cybersecurity, from counseling on compliance with privacy regulations and managing data incident responses, to navigating regulatory investigations and handling biometric and other privacy-related litigation.


David works collaboratively with a diverse range of clients, from small business and pro bono clients to multinational Fortune 100 companies, understanding and advising on...

Robert Duffy Counsel Attorney Cyberseurity Privacy Washington DC

Robert Duffy helps clients manage their cybersecurity, privacy, and information technology legal risks by delivering practical advice, navigating crisis response and aggressively pursuing justice for victims of cybercrime and business torts. Robert conducts internal investigations into security incidents, vulnerability reports, potential compliance issues, insider threats and other high-stakes matters. Robert helps clients meet regulatory and legal obligations by assessing cybersecurity maturity and developing cost-effective and risk-prioritized remediation plans and...

Fran Forte Data Privacy Lawyer McDermott Will & Emery Law Firm

Fran Forte focuses her practice on privacy and data security matters, advising clients on domestic and international privacy and cybersecurity laws and regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Fran counsels clients in many industries, including cybersecurity product providers, retailers, payment processors, and financial institutions. Fran continuously monitors and advises clients on how privacy and data security laws, regulations and consumer expectations may impact their business practices. Fran has...