Drupal has Released Critical Security Updates for Multiple Vulnerabilities

PUBLISHED:
18 January 2019

Drupal has Released Critical Security Updates for Multiple Vulnerabilities

Drupal has released patches to set of vulnerabilities in the third party PEAR Archive_Tar library and RCE in PHP’s built in phar stream wrapper. Remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.

Affected Systems

  • Drupal 8.6.x
  • Drupal 8.5.x
  • Drupal 7.x

Solution

TechCERT recommends applying following security patch updates at your earliest if you have any Drupal installation.

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Additional Info

 

9 March 2023 [NO.TCSA : 20230309-1-1-P]

A Critical Code Execution Flaw Found in FortiOS and FortiProxy Administrative Interfaces

READ MORE READ MORE
20 February 2023 [NO.TCSA : 20230220-1-1-P]

Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb

READ MORE READ MORE
16 January 2023 [NO.TCSA : 20230116-1-1-P]

Cacti Crisis: Severe Vulnerability Exploited in the Wild

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN