[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Khalid Baheyeldin kb at 2bits.com
Wed Mar 28 16:24:33 EDT 2018


Thanks Paul,

If anyone has Drupal sites, please update them NOW, before you read further.
If you have a Drupal 6 site, there is a patch for it.

OK, did that?

Now go read this:

https://groups.drupal.org/security/faq-2018-002

Over the next few hours, we will see automated exploits that will own sites
that have been not patched. This is a remote exploit that requires no
privileges at all.

And please subscribe to the security mailing list.

On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
kwlug-disc at kwlug.org> wrote:

>
> Khalid forwarded this to Charles and me, but it seems relevant to
> other people as well if you are running Drupal.
>
> - Paul
>
> ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----
>
> Date: Wed, 28 Mar 2018 15:33:52 -0400
> From: Khalid Baheyeldin <kb at 2bits.com>
> To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
> chaslinux at gmail.com>
> Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote Code
>         Execution - SA-CORE-2018-002
>
> Guys,
>
> You have Drupal sites, whether personal or otherwise.
>
> Please update your sites now, as automated remote cracking scripts will be
> developed within a few hours from now.
>
>
> ---------- Forwarded message ----------
> From: <security-news at drupal.org>
> Date: Wed, Mar 28, 2018 at 3:21 PM
> Subject: [Security-news] Drupal core - Highly critical - Remote Code
> Execution - SA-CORE-2018-002
> To: security-news at drupal.org
>
>
> View online: https://www.drupal.org/sa-core-2018-002
>
> Project: Drupal core [1]
> Date: 2018-March-28
> Security risk: *Highly critical* 21∕25
> AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
> Vulnerability: Remote Code Execution
>
> Description:
> CVE: CVE-2018-7600
>
> A remote code execution vulnerability exists within multiple subsystems of
> Drupal 7.x and 8.x.  This potentially allows attackers to exploit multiple
> attack vectors on a Drupal site, which could result in the site being
> completely compromised.
>
> The security team has written an  FAQ [3] about this issue.
>
> Solution:
> Upgrade to the most recent version of Drupal 7 or 8 core.
>
>   * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are
> unable
>     to update immediately, you can attempt to apply this patch [5] to fix
> the
>     vulnerability until such time as you are able to completely update.)
>   * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you are
>     unable to update immediately, you can attempt to apply this patch [7]
> to
>     fix the vulnerability until such time as you are able to completely
>     update.)
>
> Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
> provide
> security releases for unsupported minor releases [8]. However, given the
> potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
> releases
> that includes the fix for sites which have not yet had a chance to update
> to
> 8.5.0.
>
> Your site's update report page will recommend the 8.5.x release even if you
> are on 8.3.x or 8.4.x. Please take the time to update to a supported
> version
> after installing this security update.
>
>   * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this
> patch
>     [10].
>   * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
> thispatch
>     [12].
>
> This issue also affects Drupal 8.2.x and earlier, which are no longer
> supported. If you are running any of these versions of Drupal 8, update to
> a
> more recent release and then follow the instructions above.
>
> This issue also affects Drupal 6.  Drupal 6 is End of Life. For more
> information on Drupal 6 support please contact a D6LTS vendor [13].
>
> Reported By:
>   * Jasper Mattsson [14]
>
> Fixed By:
>   * Jasper Mattsson [15]
>   * Samuel Mortenson  [16] Provisional  Drupal Security Team member
>   * David Rothstein  [17] of the Drupal Security Team
>   * Jess  (xjm) [18] of the Drupal Security Team
>   * Michael Hess  [19] of the Drupal Security Team
>   * Lee Rowlands  [20] of the Drupal Security Team
>   * Peter Wolanin  [21] of the Drupal Security Team
>   * Alex Pott  [22] of the Drupal Security Team
>   * David Snopek [23] of the Drupal Security Team
>   * Pere Orga  [24] of the Drupal Security Team
>   * Neil Drumm [25]  of the Drupal Security Team
>   * Cash Williams  [26] of the Drupal Security Team
>   * Daniel Wehner [27]
>   * Tim Plunkett [28]
>
> -------- CONTACT AND MORE INFORMATION
> ----------------------------------------
>
> The Drupal security team can be reached by email at security at drupal.org
> or
> via the contact form.
>
> Learn more about the Drupal Security team and their policies, writing
> secure
> code for Drupal, and securing your site.
>
>
> [1] https://www.drupal.org/project/drupal
> [2] https://www.drupal.org/security-team/risk-levels
> [3] https://groups.drupal.org/security/faq-2018-002
> [4] https://www.drupal.org/project/drupal/releases/7.58
> [5]
> https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
> 83db50e2f97682d9a0fb8a18e2722cba5
> [6] https://www.drupal.org/project/drupal/releases/8.5.1
> [7]
> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> 38fa69df34a0635f0907d661b509ff9a28f
> [8] https://www.drupal.org/core/release-cycle-overview
> [9] https://www.drupal.org/project/drupal/releases/8.3.9
> [10]
> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> 38fa69df34a0635f0907d661b509ff9a28f
> [11] https://www.drupal.org/project/drupal/releases/8.4.6
> [12]
> https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> 38fa69df34a0635f0907d661b509ff9a28f
> [13] https://www.drupal.org/project/d6lts
> [14] https://www.drupal.org/u/Jasu_M
> [15] https://www.drupal.org/u/Jasu_M
> [16] https://www.drupal.org/user/2582268
> [17] https://www.drupal.org/user/124982
> [18] https://www.drupal.org/user/65776
> [19] https://www.drupal.org/user/102818
> [20] https://www.drupal.org/u/larowlan
> [21] https://www.drupal.org/user/49851
> [22] https://www.drupal.org/u/alexpott
> [23] https://www.drupal.org/u/dsnopek
> [24] https://www.drupal.org/u/pere-orga
> [25] https://www.drupal.org/u/drumm
> [26] https://www.drupal.org/u/cashwilliams
> [27] https://www.drupal.org/u/dawehner
> [28] https://www.drupal.org/u/tim.plunkett
>
> _______________________________________________
> Security-news mailing list
> Security-news at drupal.org
> Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
>
> ----- End forwarded message -----
>
> --
> http://pnijjar.freeshell.org
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>



-- 
Khalid M. Baheyeldin
2bits.com, Inc.
Fast Reliable Drupal
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
Simplicity is the ultimate sophistication. -- anonymous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20180328/6a872f81/attachment.htm>


More information about the kwlug-disc mailing list