Highly Critical Remote Code Execution in Drupal (SA-CORE-2018-002)

March 28, 2018

NOTE: Drupal core developers have stated that exploits for this vulnerability will likely be developed within days. Drupal site owners must take action immediately or risk complete compromise of their sites. 

Summary

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. [1]

Impact

This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. [1]

Vulnerable

  • Drupal 6.x (End-of-Life but still vulnerable)
  • Drupal 7.x
  • Drupal 8.x

Recommendations

  • If you are running 7.x, upgrade to Drupal 7.58. [1]
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. [1]
  • Drupal 8.3.x and 8.4.x are affected, and patches are available even though those are unsupported minor releases (an upgrade to 8.5.1 is recommended, but you may patch in the interim if an immediate upgrade is not possible). [1]
  • Drupal 6.x is End-of-Life. Upgrade to a supported release or contact a Drupal 6.x Long Term Support vendor. [1]
  • Open Berkeley sites hosted at Pantheon will receive security patches today as the Web Platform Services team is actively monitoring patch availability from Pantheon. [2] [3]
  • If you operate your own Drupal site (that is not hosted with the Open Berkeley/Pantheon turnkey solution), you must upgrade immediately. 

References

[1]  https://www.drupal.org/sa-core-2018-002
[2]  https://open.berkeley.edu/

[3] https://status.pantheon.io/