A remote code execution vulnerability has been discovered and was made public on March 28th 2018, exist within multiple subsystems of Drupal 7.x and Drupal 8.x, potentially allowing attackers to exploit multiple attack vectors on a site running Drupal. This will result in a complete compromise of the site. The vulnerability has been given the CVE identification of CVE-2018-7600. As of the writing of this alert, Drupal has not identified a public exploit in the wild yet, but it is safe to say that due the criticality of the vulnerability, users should expect possible exploits to be developed and utilised maliciously. Hence, application of the now-released fix is gravely recommended.
Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.
TechCERT recommends all Drupal users update their sites to the most recent version of Drupal being used.
- If you are running 7.x, upgrade to Drupal 7.5.8. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
- Drupal 8.3.x and 8.4.x are no longer supported, however, given the potential severity of this issue, Drupal is giving 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
- Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
- If you are running 8.3.x, upgrade to Drupal 8.3.9
- If you are running 8.4.x, upgrade to Drupal 8.4.6
- This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release.
- Drupal 6 is also affected and the Drupal 6 Long Term Support project has patches available.