NOTICE: Update Drupal to address critical vulnerabilities

Drupal has has announced updates to multiple third-party modules that address highly critical vulnerabilities that could allow remote code execution. These vulnerable modules are third-party projects that are not part of Drupal core.

There are already reports of exploits in the wild. Exploitation could result in arbitrary PHP code execution by anonymous users. Vulnerable Drupal sites may be compromised quickly.

If the vulnerable third-party modules are in use, update them as soon as possible. Drupal core is not affected. If you do not use these modules, there is nothing you need to do.

• RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
• Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039
• Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the updates if the vulnerable third-party modules are in use. Users of those systems, and people who use Drupal to update web content, do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Please contact [email protected].