ADVISORY: Drupal admins - Watch for security release next week

Friday, March 23, 2018

This information was sent via email to U-M IT staff groups on March 23, 2018. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.

Summary: 

There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x between 1:30 and 3:30 p.m. EDT on March 28 that will fix a highly critical security vulnerability. Reserve time for core updates at that time because exploits might be developed within hours or days. Watch for an announcement about the release at Drupal Security advisories.

Problem: 

The Drupal Security Team is aware of a highly critical security vulnerability in Drupal. The team will not announce details until a release is available to remediate the vulnerability. Watch for a release on March 28.

Affected Versions: 

Drupal 6.x,  7.x, 8.0.x, 8.1.x,  8.3.x, 8.4.x, and 8.5.x.

Note that although Drupal 8.3.x and 8.4.x are no longer supported, the Drupal Security Team will provide security updates for them given the potential severity of the vulnerability. If you are running Drupal 8.3.x or 8.4.x, you should upgrade to a supported version.

Action Items: 

Watch Drupal Security advisories for an announcement between 1:30 and 3:30 p.m. EDT on Wednesday, March 28. Reserve time to apply the update.

  • Drupal sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the 3/28 Drupal security advisory and plan to update to the latest 8.5.x security release within the next month.
  • Drupal sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the 3/28 Drupal security advisory and plan to update to the latest 8.5.x security release within the next month.
  • Drupal sites on 7.x or 8.5.x can immediately update when the 3/28 Drupal advisory is released using the normal procedure.

The Drupal security advisory will list the appropriate version numbers for all three Drupal 8 branches. Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update. This will not happen on 7.x sites.

ITS Web Application Hosting. ITS Web Hosting maintains a login machine based on the login.itd.umich.edu pool, but with command-line PHP available. If you have a Drupal installation through ITS Web Hosting, update it using that server:

  1. ssh uniqname@cheerleading.dsc.umich.edu
  2. [log in with UMICH password]
  3. cd [~groupdir/path/to/drupal]
  4. /afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush up
  5. Then follow drush prompts.

U-M Hosting Platform. Drupal on the U-M Hosting Platform will be updated for you. If you use this service, you do not need to take action.

Threats: 

The Drupal Security Team expects that exploits might be developed within hours or days once information about the vulnerability and release is made public.

Information for Users: 

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Use a Secure Internet Connection on the U-M Safe Computing website.