Hello,

This is a recommendation to upgrade your LabKey Servers immediately - if you are a LabKey Cloud Customer, we will perform the upgrade and notify you of the short server downtime. For anyone managing their own LabKey Server, or for more details, read on.

Recently, the developers of Apache Batik announced two security vulnerabilities, https://nvd.nist.gov/vuln/detail/CVE-2022-41704 and https://nvd.nist.gov/vuln/detail/CVE-2022-42890

Batik is a library that LabKey Server uses to convert SVGs into PNGs and PDFs. We have assessed the vulnerability and determined that some versions of LabKey Server are impacted.

LabKey previously added a related mitigation, which is included in versions 22.7.3, 22.9.0, and 22.10.0 (and beyond). The mitigation addresses the vulnerability, even without the patch to Batik itself.

LabKey will include the latest version of Batik, 1.16, in the upcoming 22.7.8 and 22.11.0 releases. LabKey has also prepared version 22.3.10 to address 22.3.x deployments.

We recommend all LabKey users on versions older than 22.7.3 upgrade to one of the secured versions immediately. By the end of the day today, the LabKey team will push new secured builds to your support portal. We will also make these changes for all LabKey Cloud customers not already on secured versions which will involve a short server downtime. You will receive notice of this downtime.

Additionally, OpenSSL has disclosed two recent vulnerabilities in their 3.0.x versions. https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

LabKey Server itself is NOT IMPACTED by this. However, other common software, including many recent Linux distributions, relies on OpenSSL so please be aware and patch as appropriate.

Please reach out if you have any questions or concerns for us.