The Drupal Security team released a note letting Drupal site owners know a security update would release on Wednesday, March 28th.
This security update covers Drupal 6LTS (Long Term Support), Drupal 7, Drupal 8.3, Drupal 8.4, and Drupal 8.5.
There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March
28th2018 between 18:00 – 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.
Drupal does not typically announce security updates ahead of time. The last time there was an announcement of this size was during Drupalgeddon. It is also unusual for Drupal to provide security updates for versions that are no longer supported, in this Drupal 6, 8.3, and 8.4.
Drupalgeddon was an SQL Injection exploit that targetted key/value pairing to achieve a remote shell. This key was a newly created user with administrator rights to bundle executable code in a post, also known as the payload.
Administrators were created given access to sensitive parts of websites.
A database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.This vulnerability can be exploited by anonymous users.
Remote Code Execution
In this most current security release, there is a Remote Code Execution and other vulnerabilities that would allow any site visitor to run code of their choice.
The Drupal Security Team released an FAQ regarding this release marked as Highly Critical.
In the case that you have been hacked and are managing your site, they have a general guide to get you back running.
The Drupal Security Team expects that there will be exploits targeting affected Drupal websites within hours, or perhaps days.
Contact your Drupal administrator to get your site updated.
Subscribe to Darren by Design
Get the latest posts delivered right to your inbox