SUMMARY
This is a follow-up to a notice alerting you to a critical vulnerability affecting sites running the Drupal Content Management System [1]. Please share this alert internally with IT admins and service owners who run the product so they are aware and know what actions to take to address this vulnerability.
IMPACT
This vulnerability may lead to information disclosure, remote code execution, and privilege escalation.
WHAT IS VULNERABLE
-
Drupal 8.9.0
-
Drupal 9.0.x
-
Drupal 10.4.9, 10.5.0 - 10.5.9, 10.6.0 -10.6.8
-
Drupal 11.0.0 - 11.1.9, 11.2.0,11.3.0 - 11.3.9
NOT VULNERABLE
-
Drupal sites that are not using PostgreSQL databases.
-
Drupal 7.x is not affected as far as we know. Any Drupal 7 Sites hosted on Pantheon, including open Berkeley Platform sites, are automatically eligible for extended security support.
RECOMMENDATIONS
-
Install the latest patched version:
-
For Drupal 8.9.0, manually apply the Drupal 8.9 patch
-
For Drupal 9.0.x, manually apply the Drupal 9.5 patch
-
For Drupal 10.4.9, update to Drupal 10.4.10
-
For Drupal 10.5.0-10.5.9, update to Drupal 10.5.10
-
For Drupal 10.6.0-10.6.8, update to Drupal 10.6.9
-
For Drupal 11.0.0 - 11.0.9, update to Drupal 11.1.10
-
For Drupal 11.2.0, update to Drupal 11.2.12
-
For Drupal 11.3.0-11.3.9, update to Drupal 11.3.10
-
Sites hosted on Pantheon should apply the appropriate update as soon as possible. Contact the Web Platform Services team if you run a site on Pantheon if you need further clarification or assistance.
REFERENCES
If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.