In the interests of transparency and in keeping with the ethos of open source software, we’re advising clients of two security issues.
To register for any further product/service alerts, including security notifications, please subscribe to our Product and Services newsletter.
For more info on our support packages, please visit our support web page or contact us for a quote.
1. CVE-2024-36401 (in relation to GeoServer)
There is a stable release of GeoServer recommended for production use. This release is made ahead of schedule to address an urgent bug or security vulnerability: CVE-2024-36401.
We’ve been in contact with our existing “higher risk” customers on Priority Support packages. We’ve also contacted customers without support as a courtesy to see if they need help.
More information about the support available from Astun
We have pulled together a package for our hosted customers who have live “mission-critical” systems that demand minimum downtime. This involves a process that we undertake on a customer’s behalf.
If existing customers who host themselves need support, we can explore working with them to provide a framework for resolution.
As with any set of technical consultancy services, our services are chargeable (unless you have a current subscription to Priority Support). Call-off time can be used instead of payment providing you have adequate time available.
Next week (w/c 1st July), there will be a widespread security announcement regarding GeoServer. If needed, we will share more information with clients who have been on GeoServer training or have a support package.
2. Polyfill.io
There is a potential vulnerability related to ol-ishare web maps.
The polyfill.io vulnerability
A small number of ol-ishare web maps have used a service called polyfill.io to provide compatibility with older browsers. It has come to light that the domain has been acquired and used to load malicious code into websites that load polyfill.io via a script tag.
Further details of the vulnerability can be found here.
Steps we’ve taken to protect your organisation
We have updated ol-ishare itself to ensure that any ol-ishare apps served via https://ol-ishare.services.astuntechnology.com/v1/ (including point releases such as /v1.1.3) will not be affected.
Any existing Spotlight maps have already been updated and are not vulnerable, the same goes for LiteMap and Loggermaps loaded directly from https://ol-ishare.services.astuntechnology.com/v1/.
How to check if your ol-ishare web map uses polyfill.io
We urge you to check if it uses polyfill.io. Commonly this can be done by viewing the source of the page that loads the map and searching for polyfill.io. Feel free to open a support ticket if you would like help with this.
What to do if your web map uses polyfill.io
We have chosen to make use of an alternative service hosted by CloudFlare, the organisation responsible for the highly regarded cdnjs project. Further details of the CloudFlare alternative can be found here.