|
This is to inform you that the Drupal CMS team has fixed a highly critical security flaw that allows hackers to take over a site just by accessing an URL. This means that Drupal site owners like yourself should immediately update your sites to Drupal 7.58 or Drupal 8.5.1, depending on the version you’re running. |
|
The Drupal team pre-announced the recent patches last week when it said "exploits might be developed within hours or days" after the disclosure. |
|
Drupal affected by unauthenticated RCE flaw |
|
The bug —tracked under the CVE-2018-7600 identifier— allows an attacker to run any code he desires against the CMS' core component, effectively taking over the site. |
|
The attacker doesn't need to be registered or authenticated on the targeted site, and all the attacker needs to do is access the URL. Here are some relevant FAQs regarding the vulnerability. |
|
Drupalgeddon2 |
|
The Drupal community has already nicknamed this bug as Drupalgeddon2 after the Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward. |
|
The Drupal team says it was not aware of any attacks exploiting the flaw when they published their security alert, but everyone from the official Drupal team to independent security researchers expect this vulnerability to enter active exploitation within hours or days. Patching should not be ignored. |
|
EOLed Drupal 6 also affected |
|
Besides fixes for Drupal's two main branches —7.x and 8.x— the Drupal team announced patches for the ancient 6.x branch that was discontinued in February 2016. Web firewall products are expected to receive updates in the following days to handle exploitation attempts. |
|
Drupal developers recommend patching first, but if this isn't possible, apply mitigation solutions such as temporarily replacing a Drupal site with a static HTML page, so the vulnerable Drupal site would not serve the vulnerable URLs to visitors. In addition, staging and in-dev Drupal installations should be updated or taken down completely until the patch can be applied. To answer any questions you may have regarding this, please see this. |
Thursday, April 5, 2018
