MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2018

MA-700.042018: MyCERT Advisory – Drupal Releases Security Updates

Date first published: 26/4/2018


1.0 Introduction
Drupal is a popular content management system that is free and open source. Drupal has released an advisory to address several vulnerabilities in Drupal versions 8.x and 7.x.


2.0 Impact
A remote attacker could exploit one of these vulnerabilities to take control of an affected system.


3.0 Affected Versions
•    Drupal core 7.x versions prior to 7.59
•    Drupal core 8.5.x versions prior to 8.5.3
•    Drupal core 8.4.x versions prior to 8.4.8


4.0 Recommendations
Users and administrators are recommended to do necessary updates by following either of these instructions below:
•    If the site is running Drupal 7.x, upgrade to Drupal core 7.59
URL: https://www.drupal.org/project/drupal/releases/7.59

•    If the site is running Drupal 8.5.x, upgrade to Drupal core 8.5.3
URL: https://www.drupal.org/project/drupal/releases/8.5.3

•    If the site is running Drupal 8.4.x, upgrade to Drupal core 8.4.8
URL: https://www.drupal.org/project/drupal/releases/8.4.8

 (Drupal 8.4.x is no longer supported and there are no more security releases for unsupported minor releases. However, Drupal are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

•    Patch for Drupal 8.x (8.5.x and below)
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e

•    Patch for Drupal 7.x
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users


5.0    References

•    https://www.us-cert.gov/ncas/current-activity/2018/04/25/Drupal-Releases-Critical-Security-Updates
•    https://www.drupal.org/project/drupal/releases/7.59
•    https://www.drupal.org/project/drupal/releases/8.5.3
•    https://www.drupal.org/project/drupal/releases/8.4.8
•    https://www.drupal.org/sa-core-2018-002
•    https://www.drupal.org/sa-core-2018-004
•    https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e
•    https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0