February 6, 2019
The security of our users’ data is of utmost importance to us at LabKey. LabKey Server has functioned as a secure platform for research teams for 15+ years and the LabKey team works diligently to to adapt the platform in order overcome the evolving security challenges of a web-based world.
LabKey releases three major versions of the LabKey Server platform each year, each of which is subjected to extensive automated and manual testing to identify potential bugs and platform vulnerabilities for correction prior to each release. On rare occasion the LabKey team may identify or be notified of an issue that poses a risk to our users’ security. When this occurs, the LabKey team will assess the issue and determine a timeline for resolution based on the severity of the risk. Issues that pose a high security risk to our clients are corrected and delivered via a patched version of the current release to clients and community users as soon as possible.
As a community driven platform, we welcome the collaboration of groups like Tenable, who recently brought to our attention several security vulnerabilities with the LabKey Server 18.2 release. These security issues were resolved in accordance with LabKey’s standard operating procedure for security vulnerabilities; the most serious was addressed with an immediate hotfix to the 18.2 release and the remaining issues patched in LabKey Server 18.3.0-61806.76, released January 16th.
The second issue allowed a malicious entity to create a URL that would initially send a user to a LabKey Server installation, but then redirect them to a third-party server, such as one controlled by the attacker. Users might have inspected the link sufficiently to see that it went to a trusted LabKey Server deployment, but not realized that their browser would later be sent elsewhere.
The third issue was a bug that did not fully handle all possible inputs from a site administrator setting up a network drive mapping on LabKey Server installations on Windows. It would have allowed them to run command-line programs on the server. LabKey assessed this issue as a very low risk, since site administrators are implicitly trusted on all installations with the highest level of access possible within LabKey Server. While the likelihood of this bug resulting in a malicious attack was very low, the LabKey team chose to correct the issue in order to eliminate the risk.
While these specific issues are no longer a threat to the security of our users, we continue to evaluate the security of the platform and address risks as new malicious threats arise. We encourage users to always update to the latest version of LabKey Server to ensure that they have the most up-to-date protection against cyber security threats.