This information was sent to U-M IT staff groups via email on March 28, 2018. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.
Last week, we asked that you watch for a promised security update to Drupal with an expected release date of March 28. That security release is now available. Please apply it as soon as possible after appropriate testing.
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The Drupal Security Team has released security updates and patches to address the vulnerability.
Also be aware that Drupal is reporting via the Drupal Twitter account that members of the Drupal community are being targeted with malicious email sign ups, phishing attacks, and so on coordinated with the release of the Drupal security advisory, releases, and patches.
Drupal 6.x, 7.x, 8.0.x, 8.1.x, 8.3.x, 8.4.x, and 8.5.x.
Note that although Drupal 8.3.x and 8.4.x are no longer supported, the Drupal Security Team has provided security updates for them given the potential severity of the vulnerability. If you are running Drupal 8.3.x or 8.4.x, you should upgrade to a supported version.
Apply the update as soon as possible after appropriate testing. See the Drupal Security Advisory for details and links to the latest releases and patches. See the Drupal FAQ about SA-CORE-2018-002 for additional information.
About updates for U-M services:
A remote code execution vulnerability in Drupal could potentially allow attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Exploits could allow all site data to be modified or deleted. See Drupal FAQ about SA-CORE-2018-002 for details. The Drupal Security Team expects that exploits might be developed within hours or days now that information about the vulnerability and security release have been made public.
Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.
- Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 (Drupal, 3/28/18)
- FAQ about SA-CORE-2018-002 (Drupal, 3/28/18)
- IA Advisory: Drupal admins - Watch for security release next week (Safe Computing, 3/23/18)
- Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001 (Drupal Security Advisory, 3/21/18)