[Security-news] 3rd Party Libraries and Supply Chains - PSA-2024-06-26

Wed Jun 26 15:42:08 UTC 2024

View online: https://www.drupal.org/psa-2024-06-26

Date: 2024-June-26
Description: 
Following on from previous PSAs on 3rd Party code in the Drupal ecosystem:

   * PSA-2011-002 - External libraries and plugins [1]
   * Various 3rd Party Vulnerabilities - PSA-2019-09-04 | Drupal.org [2]

It is the policy of the Drupal Security Team that site owners are responsible
for monitoring and maintaining the security of 3rd party libraries.

Supply chains are increasingly complex, and managing the associated risks is
challenging. Website owners should actively manage their dependencies,
potentially leveraging a Software Bill of Materials (SBOM) or scanner
services. Other relevant tools include CSP [3] and SRI [4].

.... Concerns around polyfill.io

The most recent case that has affected some contributed Drupal projects
relates to the polyfill.io service.

Recently, a new organization acquired and updated the polyfill.io service.
The new service appears to be serving malicious content from the polyfill.io
endpoints under specific circumstances.

   * https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
     [5]
   * https://sansec.io/research/polyfill-supply-chain-attack [6]
   * https://github.com/polyfillpolyfill/polyfill-service/issues/2873 [7]

In response to these concerns, several trusted providers of Javascript
libraries are now also serving replacements for the polyfill.io service.
Website owners should update their site to incorporate a newer, more reliable
source for the polyfill.io files.

   * https://community.fastly.com/t/new-options-for-polyfill-io-users/2540 [8]
   *
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-yo...
     [9]

On the other hand, the polyfills may no longer be necessary in many cases,
and it may be possible to remove them from sites rather than rely on a new
source.

Multiple Drupal projects utilize this service in various ways; several of
which require code changes and new releases to switch to alternative
providers. As this relates to 3rd party libraries, the Drupal Security Team
will not be issuing Security Advisories for these projects and work has been
done in the public issue queues [10] (note this may not be a complete list of
all affected projects).

There have been significant changes in the way that 3rd party code is
utilized in the Drupal ecosystem since PSA-2011-002 linked to above, but the
remit of the Drupal Security Team remains limited to code hosted on
drupal.org’s systems.

Reported By: 
   * Heikki Ylipaavalniemi [11]
   * jpieper [12]
   * drupalam [13]

Coordinated By: 
   * Drew Webber [14] of the Drupal Security Team
   * Greg Knaddison [15] of the Drupal Security Team
   * Cathy Theys [16] of the Drupal Security Team
   * Juraj Nemec [17] of the Drupal Security Team
   * Michael Hess [18] of the Drupal Security Team

[1] https://www.drupal.org/node/1189632
[2] https://www.drupal.org/psa-2019-09-04
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
[4]
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
[5] https://thehackernews.com/2024/06/over-110000-websites-affected-by.html
[6] https://sansec.io/research/polyfill-supply-chain-attack
[7] https://github.com/polyfillpolyfill/polyfill-service/issues/2873
[8] https://community.fastly.com/t/new-options-for-polyfill-io-users/2540
[9]
https://blog.cloudflare.com/polyfill-io-now-available-on-cdnjs-reduce-your-supply-chain-risk
[10] https://www.drupal.org/project/issues/search?issue_tags=polyfill.io
[11] https://www.drupal.org/user/3442607
[12] https://www.drupal.org/user/782988
[13] https://www.drupal.org/user/1076400
[14] https://www.drupal.org/user/255969
[15] https://www.drupal.org/user/36762
[16] https://www.drupal.org/user/258568
[17] https://www.drupal.org/user/272316
[18] https://www.drupal.org/user/102818