Yesterday, the developers of Spring MVC announced a security vulnerability, CVE-2022-22965. Spring is a popular open source library used by LabKey Server. We have assessed the vulnerability. While LabKey Server is fortunately not subject to the most commonly reported exploit variant, a customized attack against LabKey Server might succeed.

In the interest of providing hotfixes as quickly as possible, LabKey has applied the Spring development team’s recommended remediation for software that cannot immediately adopt the latest Spring MVC releases (5.3.18 or 5.2.20). We will upgrade to Spring 5.3.x in a future release, but have tested that the current hotfix eliminates the security concern.

By the end of the day today, the LabKey team will push new hotfixed builds to all Premium Edition Clients' support portal. We will also make these changes for all LabKey Cloud customers today which will involve a short server downtime. Community Edition clients should download the latest binaries and perform an upgrade.

In order to minimize the impact of this vulnerability, all administrators must upgrade their installations immediately.

As always, please reach out if you have any questions or concerns for us.