2020-02 Security update

How Can We Help?

2020-02 Security update

Created On
Last Updated On
Print
← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures here.

Summary

Labforward released a security update for Labfolder. This release contains:
  1. Security enhancements that help prevent potential cross-site scripting (XSS) vulnerabilities.
  2. General updates to third party library components in response to automated security advisories.
  3. General updates to keep our cloud infrastructure on the latest versions.

Timeline of cross-scripting issue handling

  • January 16th 2020 – Issue was reported by a former employee of Labfolder.
  • January 17th 2020 – First patch released to the Cloud environment (Labfolder v1.28.14).
  • January 20-24th 2020
    • Further investigation to prevent related issues.
    • Analysis of audit trail and event logs does not show any activity attempting to exploit this vulnerability other than in test accounts.
    • Classification of Severity and Exploitability finalized.
  • January 28th 2020 – Additional security improvements have been released to the Cloud (Labfolder v1.28.16).
  • February 11th 2020 – Final release related to XSS issue released to Cloud (Labfolder v.1.29.0). Includes the new Well Plate Template feature as well as application performance improvements.
  • February 12th-24th 2020 – Monitoring period before public disclosure.
  • February 18th 2020 – Release of server update to on-premise customers.
  • February 25th 2020 – Publication of this Security Update and update to Labfolder’s release notes.

Severity = What is the worst theoretical outcome?

Rating Description
Moderate Impact of the vulnerability is mitigated to a significant degree by factors such as authentication requirements or applicability only to non-default configurations. In this case, the impact of XSS vulnerabilities was significantly mitigated by the fact that a bad actor would only be able to share malicious code with members of their Labfolder group or sub-group. Labforward recommends that customers apply Moderate updates at the earliest opportunity.

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Exploitation Unlikely Labforward analysis shows that successfully functioning exploit code is unlikely to be utilized in real attacks. This means that while it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, the full impact of exploitation will be more limited. Moreover, Labforward has not observed instances of this type of vulnerability being actively exploited in the past. Thus, the actual risk of being exploited from this vulnerability is significantly lower. Therefore, customers who have reviewed the security update to determine its applicability within their environment could prioritize this update below other vulnerabilities within a release.

General Recommendations

  • All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have an antivirus software in place to protect your devices and data.
  • IT admins of our on-premise customers should update their systems as quickly as practical, especially when a new release includes a security patch.
  • IT admins of our on-premise customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
  • While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Tags: