Trust Center

No client impact notice - Polyfill.io, a domain used by more than 110,000 websites to deliver javascript code, has been used for a supply chain attack, potentially leading to data theft and clickjacking attacks. This story has been covered on several national news sites which in turn has generated a few questions from client's CISOs. This is an important story for main stream media to cover. We're glad that supply chain attacks are becoming better understood. Fruition has never used Polyfill thus no Fruition clients have been impacted.

Supply chain attacks are very serious and high on Fruition's radar. We mitigate supply chain risk via scans of every layer of the Docker images used to build sites. As always feel free to reach out if you would like more information.

All k8s nodes have SSH disabled (default).

GitLab (https://git.fruition.net) has confirmed that they do not use xz-utils. (Official statement)

Our Base Docker images (all our sites are built off a common set of images IE fruition/fruition-internal-base-images) are not running an SSH server so they are unaffected.

We have run scans on all images that we use and have not found any image with this CVE.

A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely.

The attack vector was identified as a Reflected XSS.

Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page.

Fruition patched this vulnerability within 12 hours of the release.

A vulnerability was discovered in Rancher's and Fleet's agents, currently deemed a medium to high severity CVE, that under very specific circumstances allows a malicious actor to take over existing Rancher nodes. The attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability. The targeted domain is the one used as the Rancher URL (the server-url of the Rancher cluster). At the moment there is no fix available and it affects all supported versions of Rancher.

Released patch for GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). Fruition has a mitigation in place. GitLab update will occur on the regular schedule. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0402