Drupal Patches 'Highly Critical' Vulnerability Affecting 1M Sites
Contact Us | |
Free Demo | |
Chat | |
The company warned users they’d have to set aside some time to fix a “highly critical” flaw in Drupal 7 and 8 core this week. It arrived on Wednesday.
As expected, the content management system Drupal patched a highly critical vulnerability in Drupal 7 and 8 Core on Wednesday, and warned users not to delay applying the fix.
The update fixes a particularly nasty remote code execution vulnerability in multiple Drupal 7.x and 8.x subsystems that could bring an entire site down.
According to the company Jasper Mattsson, a Finnish Drupal developer, discovered the bug as part of his general research into the CMS’ security.
Drupal didn't get into the details around the vulnerability (CVE-2018-7600) but said it could allow an attacker to exploit multiple attack vectors on a Drupal site. In a FAQ about the vulnerability Drupal said the vulnerability could affect over one million sites, or roughly nine percent of sites on the internet.
While it's unclear whether exploit code exists for the vulnerability Drupal warns that exploitation could result in all data either being modified or deleted.
Site owners are being encouraged to apply the updates as soon as possible, if they haven’t already, to avoid exploitation. Drupal’s infrastructure team warned users Wednesday afternoon - just an hour after it had pushed the patches - that attackers were already using news of the update to target some members of the Drupal community with malicious email sign ups and phishing attacks.
Members of the Drupal community are being targeted with malicious email sign ups, phishing attacks, etc, coordinated with today's release. Pls be careful and take precautions. If you receive a threatening message, please contact the DA and/or your local authorities.
— Drupal infra (@drupal_infra) March 28, 2018
The easiest solution for site owners is to update to Drupal 7 or 8 Core; Drupal 7.58 and Drupal 8.5.1 are the newest, patched versions. If users can't find the bandwidth to update immediately they're being encouraged to apply a patch, something that should, at least in the short term, mitigate the issue.
whitepaper Digital Guardian Technical Overview |
Given the severity of the issue Drupal said Wednesday it's providing fixes for 8.3.x and 8.4.x, even though they're not longer supported. Users should update to version 8.3.9 or 8.4.6 respectively.
Speaking of older Drupal versions, the vulnerability also affects Drupal 6, which reached end of life in February 2016 and is no longer supported by the service. Despite being end of life, Drupal 6 Long Term Support, a group that pushes security fixes for the now defunct CMS, have cobbled together a semiofficial patch.
The update was expected to coincide with a 30-minute Drupal.org git service outage but was compounded by an extended outage. For a short period Wednesday afternoon the content-management framework’s site was offline; users eagerly anticipating the patch were met with a “5xx Server Error” warning when navigating to the page.
The company warned users last week they’d have to set aside some time to fix a “highly critical” flaw in Drupal 7 and 8 core.
“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” a Drupal PSA said at the time.
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.