July 14, 2016: This information is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.
Drupal has has announced updates to multiple third-party modules that address highly critical vulnerabilities that could allow remote code execution. These vulnerable modules are third-party projects that are not part of Drupal core.
According to the Drupal website, Drupal sites using the vulnerable third-party modules are affected, and security releases are available to address the vulnerabilities. IIA’s estimate is that only a small percentage of Drupal sites are likely to be affected. The affected module versions are:
- RESTful Web Services 7.x-2.x versions prior to 7.x-2.6
- RESTful Web Services 7.x-1.x versions prior to 7.x-1.7
- Coder module 7.x-1.x versions prior to 7.x-1.3
- Coder module 7.x-2.x versions prior to 7.x-2.6
- Webform Multifile 7.x-1.x versions prior to 7.x-1.4
If the vulnerable third-party modules are in use, update them as soon as possible. Drupal core is not affected. If you do not use these modules, there is nothing you need to do.
There are already reports of exploits in the wild. Exploitation could result in arbitrary PHP code execution by anonymous users. Vulnerable Drupal sites may be compromised quickly.
Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the updates if the vulnerable third-party modules are in use. Users of those systems, and people who use Drupal to update web content, do not need to do anything.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.
Please contact firstname.lastname@example.org.