A PHP code execution bug affecting the Drupal core CMS has been discovered. The Drupal team has released a highly critical new security patch as a fix, urging all system administrators to update affected modules and configurations immediately.
Not all Drupal sites are affected by the bug. According to the security advisory issued on drupal.org, sites that meet one of the following conditions are affected:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
- the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
This bug arose because some field types are not properly sanitizing data from non-form sources. This enables arbitrary PHP code executions in certain cases. If not dealt with, a malicious user could exploit the bug to invade a Drupal site and take control of an affected server. Given that Drupal is such a popular website publishing CMS worldwide, with over 285,000 sites running on Drupal 8 and more than 800,000 sites running Drupal 7, a security issue of this magnitude warranted a swift response.
Per the advisory released on Wednesday, Drupal recommends users who may be affected to take the following steps:
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- Make sure to install any available security updates for contributed projects after updating Drupal core.
- Drupal 7 doesn’t require a core update, but several Drupal 7 contributed modules do require updates.
If a site update cannot be updated immediately, the Drupal Security Team recommended another set of steps. Site admins can an disable all web services modules or configure their web servers to not allow PUT/PATCH/POST requests to web services resources.
The security patch was widely released on Wednesday, but Drupal considered the issue serious enough to let admins know about the release a day in advance. Duo was one of the agencies informed and our team got to work as soon as the patch was released. The advance warning gave our developers enough time to block out time on Wednesday afternoon to ensure that every site we’re responsible for was updated immediately. By the end of the day, we had patched all affected Duo client sites.
While working with an agency helps guarantee a proactive solution to security fixes, Drupal’s in-house security team also plays a major role in maintaining diligence. A team of over 30 volunteers, the Drupal Security Team only recruits from experienced members of the Drupal community. As such, these active and committed watchdogs are typically able to identify problems before they become widespread. The current bug, for instance, was identified by the Drupal Security Team.
A strong security apparatus means nothing, however, if users don’t put in the necessary effort to keep their sites safe. In 2018, the Drupalgeddon 2 bug affected over a million Drupal sites. While many users subsequently patched their servers, an analysis conducted a couple months after that bug was discovered revealed that over one-hundred thousand sites remained vulnerable. All of the foresight in the world can’t protect a site if security concerns aren’t addressed as soon as they’re brought to light.
While major security issues like the one this week and Drupalgeddon 2 are rare, all code has bugs. The best thing a site can do to defend against potential vulnerabilities is to be proactive, actively searching for and fixing issues. Duo offers these protections on a continuous basis and, as part of the Drupal community, are able to discover and implement solutions as soon as they become available. In an increasingly digital world, it’s critical that companies find a partner who can handle your cybersecurity needs promptly and without complication.