Labfolder: 2022-04 Security update

How Can We Help?

Labfolder: 2022-04 Security update

← All Topics

Our commitment to Security and Privacy

Labforward is committed to achieving and maintaining the trust of our customers. Integral to this mission is that we always strive to provide robust security procedures and strictly adhere to the GDPR and our Privacy Policy. You can refer to our policy regarding security update disclosures here.

Summary

Labforward released a security update for Labfolder and Labregister. This release includes a security hotfix for a critical zero-day exploit of the Spring library CVE 2022-22965 which is used in Labfolder. More information about this vulnerability has been made available here.

Timeline of issue handling

  • March 31st 2022
    • Initial vulnerability report published by VMware (CVE 2022-22965)
    • Updates to Spring Boot have been made available by VMware, Inc.
  • April 1st 2022
    • Initial classification of Severity = Critical and Exploitability = Exploitation More Likely. Base CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • We confirmed that Labfolder and Labregister use the open source Spring library and that therefore we needed to take immediate action. Laboperator was not affected.
    • Labfolder Cloud (v2.17.1) was released in the morning.
    • Labfolder On-Premises (v2.17.2 – which included some additional non-security bug fixes) was published on the IT admin portal that evening. We informed all IT administrators of the issue and requested that they apply the updates as soon as possible.
  • May 4th 2022
    • Publication of this security update to our security center.
    • update of Labfolder release notes.

Severity = What is the worst theoretical outcome?

Rating Description
Critical The vulnerability, when exploited, results in remote code execution on the vulnerable server via data binding. As a result, it is rated at the highest possible severity level.

Exploitability = What is the likelihood that a vulnerability addressed in a security update will be exploited?

Rating Description
Critical The specific exploit, which allows remote code execution on an affected server, requires the application to run on Tomcat as a WAR deployment, which is the case for Labfolder cloud and on-premise installation. Additionally, the nature of the vulnerability is more general, and there may be other ways to exploit it. Thus, on-premises customers of Labfolder should treat this with a higher priority.

For a more detailed description of this vulnerability, see VMware Spring Framework Security Vulnerability Report.

General recommendations

  • All users should always use the latest version of our recommended browsers (Chrome, Firefox, Edge and Safari). In addition, make sure to always update your operating system to the latest version, and have antivirus software in place to protect your devices and data.
  • IT admins of our On-Premises customers should update their systems as quickly as practical, especially when a new release includes a security patch.
  • IT admins of our On-Premises customers should keep the operating system and all components (i.e. Docker) of their on-prem servers up to date.
  • While our classification system is intended to provide a broadly objective assessment of each issue, we strongly encourage customers to evaluate their own environments and make decisions about which updates are required to protect their systems.
Tags: