The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Drupal Patches 'Highly Critical' Vulnerability Affecting 1M Sites

by Chris Brook on Tuesday August 11, 2020

Contact Us
Free Demo

The company warned users they’d have to set aside some time to fix a “highly critical” flaw in Drupal 7 and 8 core this week. It arrived on Wednesday.

As expected, the content management system Drupal patched a highly critical vulnerability in Drupal 7 and 8 Core on Wednesday, and warned users not to delay applying the fix.

The update fixes a particularly nasty remote code execution vulnerability in multiple Drupal 7.x and 8.x subsystems that could bring an entire site down.

According to the company Jasper Mattsson, a Finnish Drupal developer, discovered the bug as part of his general research into the CMS’ security.

Drupal didn't get into the details around the vulnerability (CVE-2018-7600) but said it could allow an attacker to exploit multiple attack vectors on a Drupal site. In a FAQ about the vulnerability Drupal said the vulnerability could affect over one million sites, or roughly nine percent of sites on the internet.

While it's unclear whether exploit code exists for the vulnerability Drupal warns that exploitation could result in all data either being modified or deleted.

Site owners are being encouraged to apply the updates as soon as possible, if they haven’t already, to avoid exploitation. Drupal’s infrastructure team warned users Wednesday afternoon - just an hour after it had pushed the patches - that attackers were already using news of the update to target some members of the Drupal community with malicious email sign ups and phishing attacks.

The easiest solution for site owners is to update to Drupal 7 or 8 Core; Drupal 7.58 and Drupal 8.5.1 are the newest, patched versions. If users can't find the bandwidth to update immediately they're being encouraged to apply a patch, something that should, at least in the short term, mitigate the issue.


Digital Guardian Technical Overview

Given the severity of the issue Drupal said Wednesday it's providing fixes for 8.3.x and 8.4.x, even though they're not longer supported. Users should update to version 8.3.9 or 8.4.6 respectively.

Speaking of older Drupal versions, the vulnerability also affects Drupal 6, which reached end of life in February 2016 and is no longer supported by the service. Despite being end of life, Drupal 6 Long Term Support, a group that pushes security fixes for the now defunct CMS, have cobbled together a semiofficial patch.

The update was expected to coincide with a 30-minute git service outage but was compounded by an extended outage. For a short period Wednesday afternoon the content-management framework’s site was offline; users eagerly anticipating the patch were met with a “5xx Server Error” warning when navigating to the page.

The company warned users last week they’d have to set aside some time to fix a “highly critical” flaw in Drupal 7 and 8 core.

“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” a Drupal PSA said at the time.

Tags: Vulnerabilities

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.