Trust Center

Fruition has rolled out hardened zero CVE images for select use cases.

We are pleased to announce that Fruition has obtained our ISO 27001:2022 and SOC 2 Type Certifications.

Fruition further elected to follow NIST AI-RMF and NIST CSF Frameworks.

No client impact notice - Polyfill.io, a domain used by more than 110,000 websites to deliver javascript code, has been used for a supply chain attack, potentially leading to data theft and clickjacking attacks. This story has been covered on several national news sites which in turn has generated a few questions from client's CISOs. This is an important story for main stream media to cover. We're glad that supply chain attacks are becoming better understood. Fruition has never used Polyfill thus no Fruition clients have been impacted.

Supply chain attacks are very serious and high on Fruition's radar. We mitigate supply chain risk via scans of every layer of the Docker images used to build sites. As always feel free to reach out if you would like more information.

All k8s nodes have SSH disabled (default).

GitLab (https://git.fruition.net) has confirmed that they do not use xz-utils. (Official statement)

Our Base Docker images (all our sites are built off a common set of images IE fruition/fruition-internal-base-images) are not running an SSH server so they are unaffected.

We have run scans on all images that we use and have not found any image with this CVE.

A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.

The attack vector was identified as a Reflected XSS.

Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.

Fruition patched this vulnerability within 12 hours of the release.