Following up on the critical Log4J vulnerability we communicated about on Friday December 10, we have released LabKey Server 21.11.2 and 21.7.10 that include Log4J version 2.15.0. We have posted updated installers on the Community Edition download page and on customer support portals.

Any installation running LabKey Server 20.11.x or later should immediately upgrade to 21.11.2 or 21.7.10 if an administrator has not already added the -Dlog4j2.formatMsgNoLookups=true system property. For servers that have already added the system property, deploying 21.11.2 or 21.7.10 is optional but recommended. Either approach mitigates the severe vulnerability in Log4J (CVE-2021-44228).

Unfortunately, the Log4J developers today announced a related, moderate vulnerability (CVE-2021-45046). Based on the information available, we have good reason to believe that LabKey Server deployments are NOT impacted. However, we are erring on the side of caution and will be creating new LabKey Server hotfixes that incorporate Log4J 2.16.0. Installations can be updated to this followup release on a non-emergency basis.

Do not wait for this followup hotfix to protect your servers, you should take action NOW by installing 21.7.10 or 21.11.2 or using the -D system property.

We are sorry for the rapid stream of updates and recommendations, but we want to ensure that all LabKey Server installations are secure and that we keep everyone informed.