[kwlug-disc] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Paul Nijjar
paul_nijjar at yahoo.ca
Wed Mar 28 16:41:02 EDT 2018
What is the vulnerability, exactly? The patch indicates that users can
input "dangerous keys". What are dangerous keys? Are these query
parameters in the URL? The FAQ is being irritating -- it is telling me
this is a VERY BIG PROBLEM, but it is not telling me what the problem
is.
How busy is this security mailing list?
- Paul
On Wed, Mar 28, 2018 at 04:24:33PM -0400, Khalid Baheyeldin wrote:
> Thanks Paul,
>
> If anyone has Drupal sites, please update them NOW, before you read further.
> If you have a Drupal 6 site, there is a patch for it.
>
> OK, did that?
>
> Now go read this:
>
> https://groups.drupal.org/security/faq-2018-002
>
> Over the next few hours, we will see automated exploits that will own sites
> that have been not patched. This is a remote exploit that requires no
> privileges at all.
>
> And please subscribe to the security mailing list.
>
> On Wed, Mar 28, 2018 at 4:14 PM, Paul Nijjar via kwlug-disc <
> kwlug-disc at kwlug.org> wrote:
>
> >
> > Khalid forwarded this to Charles and me, but it seems relevant to
> > other people as well if you are running Drupal.
> >
> > - Paul
> >
> > ----- Forwarded message from Khalid Baheyeldin <kb at 2bits.com> -----
> >
> > Date: Wed, 28 Mar 2018 15:33:52 -0400
> > From: Khalid Baheyeldin <kb at 2bits.com>
> > To: Paul Nijjar <paul_nijjar at yahoo.ca>, Charles McColm <
> > chaslinux at gmail.com>
> > Subject: Fwd: [Security-news] Drupal core - Highly critical - Remote Code
> > Execution - SA-CORE-2018-002
> >
> > Guys,
> >
> > You have Drupal sites, whether personal or otherwise.
> >
> > Please update your sites now, as automated remote cracking scripts will be
> > developed within a few hours from now.
> >
> >
> > ---------- Forwarded message ----------
> > From: <security-news at drupal.org>
> > Date: Wed, Mar 28, 2018 at 3:21 PM
> > Subject: [Security-news] Drupal core - Highly critical - Remote Code
> > Execution - SA-CORE-2018-002
> > To: security-news at drupal.org
> >
> >
> > View online: https://www.drupal.org/sa-core-2018-002
> >
> > Project: Drupal core [1]
> > Date: 2018-March-28
> > Security risk: *Highly critical* 21∕25
> > AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Default [2]
> > Vulnerability: Remote Code Execution
> >
> > Description:
> > CVE: CVE-2018-7600
> >
> > A remote code execution vulnerability exists within multiple subsystems of
> > Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
> > attack vectors on a Drupal site, which could result in the site being
> > completely compromised.
> >
> > The security team has written an FAQ [3] about this issue.
> >
> > Solution:
> > Upgrade to the most recent version of Drupal 7 or 8 core.
> >
> > * *If you are running 7.x, upgrade to Drupal 7.58 [4].* (If you are
> > unable
> > to update immediately, you can attempt to apply this patch [5] to fix
> > the
> > vulnerability until such time as you are able to completely update.)
> > * *If you are running 8.5.x, upgrade to Drupal 8.5.1 [6].* (If you are
> > unable to update immediately, you can attempt to apply this patch [7]
> > to
> > fix the vulnerability until such time as you are able to completely
> > update.)
> >
> > Drupal 8.3.x and 8.4.x are no longer supported and we don't normally
> > provide
> > security releases for unsupported minor releases [8]. However, given the
> > potential severity of this issue, we /are/ providing 8.3.x and 8.4.x
> > releases
> > that includes the fix for sites which have not yet had a chance to update
> > to
> > 8.5.0.
> >
> > Your site's update report page will recommend the 8.5.x release even if you
> > are on 8.3.x or 8.4.x. Please take the time to update to a supported
> > version
> > after installing this security update.
> >
> > * If you are running 8.3.x, upgrade to Drupal 8.3.9 [9] or apply this
> > patch
> > [10].
> > * If you are running 8.4.x, upgrade to Drupal 8.4.6 [11] or apply
> > thispatch
> > [12].
> >
> > This issue also affects Drupal 8.2.x and earlier, which are no longer
> > supported. If you are running any of these versions of Drupal 8, update to
> > a
> > more recent release and then follow the instructions above.
> >
> > This issue also affects Drupal 6. Drupal 6 is End of Life. For more
> > information on Drupal 6 support please contact a D6LTS vendor [13].
> >
> > Reported By:
> > * Jasper Mattsson [14]
> >
> > Fixed By:
> > * Jasper Mattsson [15]
> > * Samuel Mortenson [16] Provisional Drupal Security Team member
> > * David Rothstein [17] of the Drupal Security Team
> > * Jess (xjm) [18] of the Drupal Security Team
> > * Michael Hess [19] of the Drupal Security Team
> > * Lee Rowlands [20] of the Drupal Security Team
> > * Peter Wolanin [21] of the Drupal Security Team
> > * Alex Pott [22] of the Drupal Security Team
> > * David Snopek [23] of the Drupal Security Team
> > * Pere Orga [24] of the Drupal Security Team
> > * Neil Drumm [25] of the Drupal Security Team
> > * Cash Williams [26] of the Drupal Security Team
> > * Daniel Wehner [27]
> > * Tim Plunkett [28]
> >
> > -------- CONTACT AND MORE INFORMATION
> > ----------------------------------------
> >
> > The Drupal security team can be reached by email at security at drupal.org
> > or
> > via the contact form.
> >
> > Learn more about the Drupal Security team and their policies, writing
> > secure
> > code for Drupal, and securing your site.
> >
> >
> > [1] https://www.drupal.org/project/drupal
> > [2] https://www.drupal.org/security-team/risk-levels
> > [3] https://groups.drupal.org/security/faq-2018-002
> > [4] https://www.drupal.org/project/drupal/releases/7.58
> > [5]
> > https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a
> > 83db50e2f97682d9a0fb8a18e2722cba5
> > [6] https://www.drupal.org/project/drupal/releases/8.5.1
> > [7]
> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > 38fa69df34a0635f0907d661b509ff9a28f
> > [8] https://www.drupal.org/core/release-cycle-overview
> > [9] https://www.drupal.org/project/drupal/releases/8.3.9
> > [10]
> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > 38fa69df34a0635f0907d661b509ff9a28f
> > [11] https://www.drupal.org/project/drupal/releases/8.4.6
> > [12]
> > https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac87
> > 38fa69df34a0635f0907d661b509ff9a28f
> > [13] https://www.drupal.org/project/d6lts
> > [14] https://www.drupal.org/u/Jasu_M
> > [15] https://www.drupal.org/u/Jasu_M
> > [16] https://www.drupal.org/user/2582268
> > [17] https://www.drupal.org/user/124982
> > [18] https://www.drupal.org/user/65776
> > [19] https://www.drupal.org/user/102818
> > [20] https://www.drupal.org/u/larowlan
> > [21] https://www.drupal.org/user/49851
> > [22] https://www.drupal.org/u/alexpott
> > [23] https://www.drupal.org/u/dsnopek
> > [24] https://www.drupal.org/u/pere-orga
> > [25] https://www.drupal.org/u/drumm
> > [26] https://www.drupal.org/u/cashwilliams
> > [27] https://www.drupal.org/u/dawehner
> > [28] https://www.drupal.org/u/tim.plunkett
> >
> > _______________________________________________
> > Security-news mailing list
> > Security-news at drupal.org
> > Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
> >
> >
> >
> > --
> > Khalid M. Baheyeldin
> > 2bits.com, Inc.
> > Fast Reliable Drupal
> > Drupal optimization, development, customization and consulting.
> > Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> > Simplicity is the ultimate sophistication. -- anonymous
> >
> > ----- End forwarded message -----
> >
> > --
> > http://pnijjar.freeshell.org
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
>
>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. -- Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. -- anonymous
--
http://pnijjar.freeshell.org
More information about the kwlug-disc
mailing list