Drupal has released a critical security update for Drupal 7 and Drupal 8. This security update (versions 7.72 & 8.91) fixes multiple vulnerabilities that have been found by the Drupal security team. Specifically, they are:
- The core Form API in Drupal 7 & 8 does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- Drupal 8 has a remote code execution vulnerability under certain circumstances. This means an attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability.
- By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only Drupal 8 sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.
Solution
The latest versions of Drupal (versions 7.72 & 8.9.1) will mitigate the vulnerabilities. All Drupal websites should be updated to the latest version of Drupal.
Action
All Drupal websites that are hosted with Enrega will be updated by our support team. For more information about the update process, please see our security updates for your website page.
If you have a shared hosting account with CMS support, you can see our progress by following our support team on Twitter. If you have a custom website that is not in shared hosting, or if you do not have CMS support, we'll let you know by email when we're done.
References
- What is Drupal?
- Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
- Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
- Drupal core - Less critical - Access bypass - SA-CORE-2020-006
The team at Enrega are available if you require more information about your website security updates.
