Overview

Security is of the utmost importance to LabKey. We take a proactive approach to improving the platform and creating secure software, testing new and existing features for potential vulnerabilities, and scanning our dependencies. We also acknowledge that security issues will be identified after the software has been developed and deployed. As such, we have instituted the following policies.

Reporting Security Issues

We welcome reports of any issues that the community may identify. Please use our Contact Us form to securely send us information about potential vulnerabilities.

Assessment and Remediation

LabKey may become aware of potential security issues through multiple pathways, including but not limited to:

  • LabKey’s internal testing
  • Automated monitoring of CVEs in third-party dependencies
  • Reports from customers and the wider community

Promptly after being alerted to a potential issue, the LabKey team will assess the issue. We use the Common Vulnerability Scoring System (CVSS version 3.1) to score the issue, completing the Base Score Metrics assessment under the following assumptions (these conditions do not apply to all deployments, but the conditions are intentionally conservative):

  • The deployment is reachable via the public Internet
  • Guest users have read-only access at least one project
  • Self-registration is enabled, and logged in users are at least Submitters in one folder
  • The deployment is configured and maintained following industry best practices

LabKey’s scoring may differ from a third-party library's "official" CVE score. For example, LabKey Server (nor any of its dependencies) may not use the vulnerable API from the CVE.

Low severity issues (CVSS score: 0.0 - 3.9), including third-party library CVEs, are understood to be low risk and will be addressed in the next Extended Support Release (ESR).

LabKey will perform a risk evaluation for medium, high, and critical issues (CVSS score: > 4.0). LabKey will take the following minimum actions as shown below.

LabKey’s Risk Assessment Action
Low Fix in LabKey Server’s next Extended Support Release (ESR)
Medium Hotfix current LabKey Server ESR; make the release available to potentially impacted customers; communicate that the release contains a security fix
High Hotfix current LabKey Server ESR; make the release available to all customers and Community Edition users; communicate that the release contains a security fix
Critical Hotfix current LabKey Server ESR; expedite the next maintenance release; make the release available to all customers and Community Edition users; broadly communicate that the release contains a security fix

Premium Edition Support

  • LabKey Cloud clients will be upgraded with security hotfixes automatically.
  • For Enterprise Edition clients, LabKey will consider backporting hotfixes to the three most recent ESRs, i.e. the current and two previous ESR releases, covering roughly a calendar year.
  • For Professional and Starter Edition clients, LabKey will only backport to the most recent ESR. However, LabKey provides a six-week grace period after each release is delivered to give clients a reasonable opportunity to upgrade.

Please contact your Account Manager if you have questions or concerns.

LabKey Server CVEs

LabKey has patched the following Common Vulnerabilities and Exposures (CVE). We thank Tenable and Rhino Security Labs for their issue reports.

CVE Vulnerability Type Versions Patched
CVE-2019-3911 Reflected cross-site scripting (XSS) 18.2-60915, All official 18.3 and later releases
CVE-2019-3912 Open redirects All official 18.3 and later releases
CVE-2019-3913 Site admins can unmount drive through invalid input All official 18.3 and later releases
CVE-2019-9758 Stored cross-site scripting (XSS) 19.1.1, all later releases, backported to 17.2, 18.2, and 18.3 releases
CVE-2019-9926 Cross-site request forgery (CSRF) for R script reports 19.1.1, all later releases, backported to 17.2, 18.2, and 18.3 releases
CVE-2019-9757 XML External Entity (XXE) in PDF and SVG generation 19.1.1, all later releases, backported to 17.2, 18.2, and 18.3 releases

Note that this table covers vulnerabilities in LabKey Server itself. LabKey also proactively reacts to and provides hotfixes for vulnerabilities reported in related software as described in the next section.

Dependency CVE Monitoring

Monitoring third-party libraries that we depend on directly or indirectly is important for keeping our own software free of vulnerabilities. We have enabled automation to routinely scan all of our Java libraries and match them against public CVE databases.

Any reported CVEs in our dependencies are treated as any other test failure in our software and promptly investigated. We keep this list clear, either by updating the version of the library we use, by changing how we use it, or in special cases, by suppressing individual CVE reports when we can conclusively determine that they are either false positive reports, or do not apply to our usage.

Please contact us if you have questions or concerns.

Related Topics

Was this content helpful?

Log in or register an account to provide feedback


previousnext
 
expand allcollapse all