Emburse Response:
Log4j

Emburse Response to CVE-2021-44228 and CVE-2021-45046 – Apache Log4j Remote Code Execution Vulnerabilities


Emburse has investigated the remote code execution vulnerabilities (CVE-2021-44228 and CVE-2021-45046) related to Apache Log4j, a logging tool used in many Java-based applications, published December 9, December 14,  and December 22, 2021. As the industry at large continues to gain a deeper understanding of the impact of this threat, we will publish technical information to help customers detect, investigate, and mitigate attacks. We will update this article with information and protection details as they become available.
 
In addition to monitoring the threat landscape for attacks and developing customer protections, our security teams have conducted an investigation of our products and services as it relates to Apache Log4j and have taken quick and decisive action to mitigate risk. Our first and foremost priority is our valued clients, and we will continue taking all necessary steps to ensure transparency and security.
 
 

Confidentiality, Integrity, and Availability of Client Data 

Based on detective controls, monitoring, and alerting, Emburse does not have any reason to believe that any data has been accessed, modified, or otherwise affected as part of this vulnerability. 

 

Overview of Emburse’s Response

Due to the wide-reaching nature of this vulnerability, Emburse prioritized our response in accordance with overall risk of an affected product or service. We focused our mitigation efforts on those products and services that were directly accessible from the public Internet. We then focused our efforts on sub-service organizations to ensure they were able to mitigate the vulnerability in their product(s).
 
Emburse’s team continues to monitor our products and new information related to these vulnerabilities to ensure our products are as safe and secure as possible for our clients.
 


Mitigation Tactics for Impacted Emburse Products

Emburse has already completed the following steps to mitigate the vulnerability in the impacted environment:

  1. Implemented Web Application Firewall (WAF) rules that detect attempted attacks and prevent this communication from being sent to our backend servers. (Completed Dec 12)
  2. Emburse introduced blocking Java Virtual Machine (JVM) rules. Emburse’s security policy has always required that all traffic into or out of our servers must be restricted using a least-privilege policy. Unless there is a business requirement, no traffic will be allowed into or out of our servers. One of the best strategies for mitigating this vulnerability is by restricting outbound communication with untrusted servers. We do not allow outbound traffic to untrusted servers. (Completed Dec 12)
  3. Disabled unused API endpoints to narrow the attack surface. (Completed Dec 12)
  4. Disabled parts of the log4j software that run on impacted servers in our  environment. (Completed Dec 14)

 

Impacted Product Lines


Chrome River 

Chrome River has public Internet-facing components that use Java. There were 15 instances of the affected versions of log4j. 
 
Emburse completely patched versions of Chrome River and ensured that the newest versions of log4j (version 2.17) were not subject to this vulnerability. Incorporating the latest version of log4j was not a drop-in replacement and required developer effort to make use of the new log4j library.  

 


Nexonia

Nexonia has public Internet-facing components that use Java. There was  1 instance of the affected version of log4j. Nexonia has now moved away from using log4j.
 
Prior to removing the need for log4j, Emburse completely patched versions of Nexonia and replaced log4j (version 2.16) with another software not subject to this vulnerability. Replacing log4j was not a drop-in replacement and required developer effort.
 


DVI

DVI has public Internet-facing components that use Java. There were 24 instances of the affected versions of log4j 2.11.0 or 2.11.1.  
 
Emburse completely patched versions of DVI systems and ensured that the patched versions of log4j were not subject to this vulnerability. Log4j 2.11.0 and 2.11.1 were patched in-place. DVI is now on the newest version (2.17) which is not subject to this vulnerability. 

 

 

Non-Impacted Product Lines

  • Certify Expense
  • Certify AP
  • Certify Travel
  • Roadmap
  • Tallie
  • SpringAhead
  • ExpenseWatch
  • Emburse Cards
  • Abacus
  • Captio
  • Nexonia - post removal of log4j


Sub-service Organization Integrations for Emburse

Emburse reviewed over 200 sub service organizations that serve Emburse. 
  • For Chrome River, we identified 18 that are considered critical. Of these 18, all either remediated the vulnerability and patched to version 2.17 or were not impacted.
  • For Nexonia, we identified 11 that are considered critical. Of these 11, all either remediated the vulnerability and patched to version 2.16 or were not impacted. All were removed post the 2.16 patch.
  • For DVI, we identified 8 that are considered critical. Of these 8, all either remediated the vulnerability and patched to version 2.17 or were not impacted.
  • For non-impacted business units, Emburse reviewed all critical vendors for each business unit and determined that the 50+ critical vendors all either premeditated the vulnerability and patched to version 2.17 or were not impacted.

Last date updated: 12.22.2021