The website admins are requested by the Drupal project to install updates urgently after discovering a highly critical remote code execution bug that affects the Drupal core CMS.
The security team at Drupal has considered the bug as a serious one and warn all the admins before the Wednesday’s patch release to reserve time to address the bug.
Drupal is the third most popular CMS for website publishing. The vulnerability which has been nicknamed as CVE-2019-6340, can be used by the attackers to hack a Drupal site and potentially take control of a web server.
Drupal states that the flaw is because of some file types that does not properly sanitize data from non-form sources, such as RESTful web services. They warns that this can lead to arbitrary PHP code execution.
The admins can reduce the bug by disabling all web services modules until a secure patch is available. It is also possible to mitigate the bug by disallowing PUT/PATCH/POST requests to web services resources.
The branches of Drupal core that are affected include Drupal 8.6.x and Drupal 8.5.x and earlier. It is necessary to upgrade to each branch’s fixed versions, which are Drupal 8.6.10 and Drupal 8.5.11.
The websites are affected if the Drupal 8 core RESTful Web Services (rest) module is enabled and allows PATCH or POST requests. The sites with other web services modules enabled are also affected.
Once updating the Drupal core, the admins are required to install security updates for several affected third-party Drupal projects. These include Font Awesome Icons, Translation Management Tool, Paragraphs, Video, Metatag, Link, JSON:API, and RESTful Web Services.
It is not necessary to update the Drupal 7 core, but Drupal warns that some of the third-party projects mentioned before for Drupal 7 might need to be updated.
It is believed that the flaw has not been exploited in the wild. Since the severity of the bug is high it is expected that the bug could be exploited in the near future.
In the past few months the attackers make use of Drupal sites that are not updated to address several ‘Drupalgeddon 2’ flaws that were disclosed last spring. The purpose of the attack is mainly to install cryptocurrency miners on affected web servers.
Research found that more than 100,000 sites were still running a versions of the CMS vulnerable to Drupalgeddon 2 bugs even three months after fixed versions had been released.