ALERT: Drupal admins - Apply security core update ASAP

Wednesday, April 25, 2018

As of late on April 25, 2018, Drupal reports that the vulnerability described here is now being exploited in the wild. Drupal has upgraded the vulnerability from critical to highly critical. Update your Drupal installation as soon as possible.

---------------------------------------

This information was sent to U-M IT staff groups on April 25, 2018. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.

Summary

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This vulnerability could allow attackers to exploit multiple attack vectors on a Drupal site and execute code remotely, which could result in the site being compromised. Drupal has released updates to mitigate the vulnerability. Apply the appropriate update for your version of Drupal as soon as possible after appropriate testing.

Problem

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002.

Affected Versions

Drupal has provided patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x.

Action Items

Given the potential for sites to be compromised by this vulnerability, it is highly recommended that you apply the update as soon as possible after appropriate testing. See the Drupal Security Advisory for details and links to the latest releases and patches.

  • Sites on 7.x or 8.5.x can update using the normal Drupal update procedure.
  • Sites on 8.4.x should immediately update to the 8.4.8 release and then plan to update to 8.5.3 or the latest security release as soon as possible (because 8.4.x no longer receives official security coverage).
  • If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security updates. The provided patches may work for your site, but upgrading is strongly recommended because older Drupal versions contain other disclosed security vulnerabilities.

This security release does not require a database update.

Threats

The identified vulnerability could allow attackers to execute code remotely. This vulnerability is related to the SA-CORE-2018-002 Drupal vulnerability. While SA-CORE-2018-002 is currently being exploited in the wild, there are no reports yet of SA-CORE-2018-004 being exploited.  

If you did not update your Drupal site for the vulnerability announced on March 28 (see IA Alert: Drupal admins - Apply security update ASAP), you should assume the site is compromised. Most compromised sites are being used to distribute spam and to mine bitcoin.

Technical Details

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised.

Information for Users

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.