Welcome to Fruition's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.
Documents
Trust Center Updates
All k8s nodes have SSH disabled (default).
GitLab (https://git.fruition.net) has confirmed that they do not use xz-utils. (Official statement)
Our Base Docker images (all our sites are built off a common set of images IE fruition/fruition-internal-base-images) are not running an SSH server so they are unaffected.
We have run scans on all images that we use and have not found any image with this CVE.
A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.
The attack vector was identified as a Reflected XSS.
Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.
Fruition patched this vulnerability within 12 hours of the release.
A vulnerability was discovered in Rancher's and Fleet's agents, currently deemed a medium to high severity CVE, that under very specific circumstances allows a malicious actor to take over existing Rancher nodes. The attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability. The targeted domain is the one used as the Rancher URL (the server-url of the Rancher cluster). At the moment there is no fix available and it affects all supported versions of Rancher.
Released patch for GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). Fruition has a mitigation in place. GitLab update will occur on the regular schedule. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0402
Gitlab announced a critical vuln allowing password resets. The vuln was mitigated by two factor. It allowed a malicious actor to reset passwords but not get passed two factor. Fruition only had a few admin users that had direct access to gitlab. All users had and have 2fa turned on. This vuln did not impact sso users which all other Fruition users. No CVE yet. Fruition has patched our gitlab instance. https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/
Mitigation is limiting API user registration