Drupal has released paches to set of vulnerabilities in the third party PEAR Archive_Tar library and RCE in PHP's built in phar stream wrapper. Remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.
- Drupal 8.6.x
- Drupal 8.5.x
- Drupal 7.x
TechCERT recommends applying following security patch updates at your earliest if you have any Drupal installation.
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
- If you are using Drupal 7.x, upgrade to Drupal 7.62.