[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Wed Mar 28 16:14:08 EDT 2018

Khalid forwarded this to Charles and me, but it seems relevant to
other people as well if you are running Drupal. 

- Paul

----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----

Date: Wed, 28 Mar 2018 15:33:52 -0400
From: Khalid Baheyeldin <kb at 2bits.com>
To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <chaslinux at gmail.com>
Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote Code
	Execution - SA-CORE-2018-002

Guys,

You have Drupal sites, whether personal or otherwise.

Please update your sites now, as automated remote cracking scripts will be
developed within a few hours from now.

---------- Forwarded message ----------
From: <security-news at drupal.org>
Date: Wed, Mar 28, 2018 at 3:21 PM
Subject: [Security-news] Drupal core - Highly critical - Remote Code
Execution - SA-CORE-2018-002
To: security-news at drupal.org

View online: https://www.drupal.org/sa-core-2018-002

Project: Drupal core [1]
Date: 2018-March-28
Security risk: *Highly critical* 21∕25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution

Description:
CVE: CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of
Drupal 7.x and 8.x.  This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
completely compromised.

The security team has written an  FAQ [3] about this issue.

Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.

  * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are unable
    to update immediately, you can attempt to apply this patch [5] to fix
the
    vulnerability until such time as you are able to completely update.)
  * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you are
    unable to update immediately, you can attempt to apply this patch [7] to
    fix the vulnerability until such time as you are able to completely
    update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide
security releases for unsupported minor releases [8]. However, given the
potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
releases
that includes the fix for sites which have not yet had a chance to update to
8.5.0.

Your site's update report page will recommend the 8.5.x release even if you
are on 8.3.x or 8.4.x. Please take the time to update to a supported version
after installing this security update.

  * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this
patch
    [10].
  * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
thispatch
    [12].

This issue also affects Drupal 8.2.x and earlier, which are no longer
supported. If you are running any of these versions of Drupal 8, update to a
more recent release and then follow the instructions above.

This issue also affects Drupal 6.  Drupal 6 is End of Life. For more
information on Drupal 6 support please contact a D6LTS vendor [13].

Reported By:
  * Jasper Mattsson [14]

Fixed By:
  * Jasper Mattsson [15]
  * Samuel Mortenson  [16] Provisional  Drupal Security Team member
  * David Rothstein  [17] of the Drupal Security Team
  * Jess  (xjm) [18] of the Drupal Security Team
  * Michael Hess  [19] of the Drupal Security Team
  * Lee Rowlands  [20] of the Drupal Security Team
  * Peter Wolanin  [21] of the Drupal Security Team
  * Alex Pott  [22] of the Drupal Security Team
  * David Snopek [23] of the Drupal Security Team
  * Pere Orga  [24] of the Drupal Security Team
  * Neil Drumm [25]  of the Drupal Security Team
  * Cash Williams  [26] of the Drupal Security Team
  * Daniel Wehner [27]
  * Tim Plunkett [28]

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached by email at security at drupal.org
or
via the contact form.

Learn more about the Drupal Security team and their policies, writing secure
code for Drupal, and securing your site.

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://groups.drupal.org/security/faq-2018-002
[4] https://www.drupal.org/project/drupal/releases/7.58
[5]
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
83db50e2f97682d9a0fb8a18e2722cba5
[6] https://www.drupal.org/project/drupal/releases/8.5.1
[7]
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
38fa69df34a0635f0907d661b509ff9a28f
[8] https://www.drupal.org/core/release-cycle-overview
[9] https://www.drupal.org/project/drupal/releases/8.3.9
[10]
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
38fa69df34a0635f0907d661b509ff9a28f
[11] https://www.drupal.org/project/drupal/releases/8.4.6
[12]
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
38fa69df34a0635f0907d661b509ff9a28f
[13] https://www.drupal.org/project/d6lts
[14] https://www.drupal.org/u/Jasu_M
[15] https://www.drupal.org/u/Jasu_M
[16] https://www.drupal.org/user/2582268
[17] https://www.drupal.org/user/124982
[18] https://www.drupal.org/user/65776
[19] https://www.drupal.org/user/102818
[20] https://www.drupal.org/u/larowlan
[21] https://www.drupal.org/user/49851
[22] https://www.drupal.org/u/alexpott
[23] https://www.drupal.org/u/dsnopek
[24] https://www.drupal.org/u/pere-orga
[25] https://www.drupal.org/u/drumm
[26] https://www.drupal.org/u/cashwilliams
[27] https://www.drupal.org/u/dawehner
[28] https://www.drupal.org/u/tim.plunkett

_______________________________________________
Security-news mailing list
Security-news at drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous

----- End forwarded message -----

-- 
http://pnijjar.freeshell.org