/ Drupal

Drupal Highly Critical Security Update

The Drupal Security team released a note letting Drupal site owners know a security update would release on Wednesday, March 28th.

This security update covers Drupal 6LTS (Long Term Support), Drupal 7, Drupal 8.3, Drupal 8.4, and Drupal 8.5.

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

Drupal Security Team

Drupal does not typically announce security updates ahead of time. The last time there was an announcement of this size was during Drupalgeddon. It is also unusual for Drupal to provide security updates for versions that are no longer supported, in this Drupal 6, 8.3, and 8.4.

Drupalgeddon

Source: pixabay.com
Ancient armor Source: Pixabay.com

Drupalgeddon was an SQL Injection exploit that targetted key/value pairing to achieve a remote shell. This key was a newly created user with administrator rights to bundle executable code in a post, also known as the payload.

Administrators were created given access to sensitive parts of websites.

A database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.This vulnerability can be exploited by anonymous users.

Drupal Security Team

Remote Code Execution

In this most current security release, there is a Remote Code Execution and other vulnerabilities that would allow any site visitor to run code of their choice.

The Drupal Security Team released an FAQ regarding this release marked as Highly Critical.
https://groups.drupal.org/security/faq-2018-002

Source: negativespace.co

In the case that you have been hacked and are managing your site, they have a general guide to get you back running.
https://www.drupal.org/drupal-security-team/your-drupal-site-got-hacked-now-what

The Drupal Security Team expects that there will be exploits targeting affected Drupal websites within hours, or perhaps days.

[1] https://www.drupal.org/psa-2018-001
[2] https://groups.drupal.org/security/faq-2018-002
[3] https://www.drupal.org/drupal-security-team/your-drupal-site-got-hacked-now-what
[4] https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql
Contact your Drupal administrator to get your site updated.

If you do not have someone that can update your Drupal website, you can contact Launch Brigade or call  831 480-7190.

Darren Odden

Darren Odden

The charismatic megafauna of love. Built by Divine Design architecting strategies designed to engage. Frank Lloyd Wright shed a single glistening tear at the beauty of his application architecture.

Read More
Drupal Highly Critical Security Update
Share this

Subscribe to Darren by Design