Drupal has Released Critical Security Updates for Multiple Vulnerabilities

PUBLISHED:
18 January 2019

Drupal has Released Critical Security Updates for Multiple Vulnerabilities

Drupal has released patches to set of vulnerabilities in the third party PEAR Archive_Tar library and RCE in PHP’s built in phar stream wrapper. Remote code execution vulnerability exists in PHP’s built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration. Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations.

Affected Systems

  • Drupal 8.6.x
  • Drupal 8.5.x
  • Drupal 7.x

Solution

TechCERT recommends applying following security patch updates at your earliest if you have any Drupal installation.

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9.
  • If you are using Drupal 7.x, upgrade to Drupal 7.62.

Additional Info

 

21 April 2022 [NO.TCSA : 20220422-1-1-P]

A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

READ MORE READ MORE
19 April 2022 [NO.TCSA : 20220419-1-1-P]

Possible Increase of Intrusion Attempts on Sri Lankan Websites

READ MORE READ MORE
1 April 2022 [NO.TCSA : 20220401-1-1-P]

Spring4Shell – A Critical Remote Execution Found Spring Framework

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN