Drupal Releases Security Updates for Critical Vulnerability in Drupal 6, 7 and 8

Spread the love

Drupal has released security updates for Drupal 7 and Drupal 8 that address a critical vulnerability in the software. The organization warned a week ago that it would release the patches on Wednesday evening. Drupal 6 has also been affected and patches are available.

According to the warning issued by Drupal, it is a vulnerability that allows remote code execution. The organization has therefore chosen to assign a risk score of 21 out of 25. Drupal has not released any details of the vulnerability, but from the build-up of the risk score, described on a FAQ page, it can be concluded that the vulnerability can easily be exploited by an unauthorized attacker and that it gives access to all data on a server . No exploits are said to be available yet and the vulnerability is present in standard configurations and commonly used settings.

The Drupal team warns that due to the nature of the vulnerability, it is likely that exploits will be developed in the near future. There are indications on Twitter as to the nature of the vulnerability to find. It is therefore recommended to perform an update as soon as possible. The vulnerability was found by an employee of Druid, which, among other things, conducts audits for Drupal. The cms is used by five percent of the one million most popular sites, according to Builtwith, W3Techs shows a slightly lower percentage for a larger population.

Patches are available for the vulnerability, which is identified as CVE-2018-7600. Users with version 7.x can update to version 7.58 and for users with version 8.5.x a patch in the form of 8.5.1 is available. Users with 8.3.x and 8.4.x can update to versions 8.3.9 and 8.4.6 respectively or use a patch, even if they are unsupported releases. The Drupal team advises these users to update to 8.5 after the patch.

For version 6 users, Drupal points to the lts version page, where patches should be available. For users who are unable to update, Drupal recommends, among other things, to temporarily replace the site with a static HTML page. The organization warned about this leak a week ago.

You might also like