On 21st March, the Drupal Security Team announced that a major vulnerability had been discovered on several subsystems of Drupal 7.x and 8.x, and the security risk posed to any website running one of those versions was Highly Critical. One week later, a set of patches was released for supported versions of Drupal in order to eliminate the vulnerability.
What does this mean in practice?
The issues in question scored 21/25 on the risk calculator used by the Drupal Security Team. In practical terms, this means that:
- A potential attacker only needs to be able to visit the page in order to be able to exploit the vulnerability;
- No further level of access is required - any anonymous user can do this;
- All data handled by the system can be modified and deleted.
- In essence, anyone could potentially compromise a site entirely.
Fortunately, there isn't any code for a public exploit currently available. However, that doesn't mean that malicious code to target this vulnerability isn't out there.
Is my site affected?
If you are running one of the following versions of Drupal core, it is highly recommend you upgrade to the latest version immediately:
- Any version of Drupal 7.x prior to Drupal 7.58
- Any version of Drupal 8.5.x prior to Drupal 8.5.1
- Any version of Drupal 8.3.x prior to Drupal 8.3.9
- Any version of Drupal 8.4.x prior to Drupal 8.4.6
- Any version of Drupal 6. Drupal 6 is End of Life and is no longer actively supported.
How we can help
It’s urgent that any Drupal site running an affected version updates immediately to secure their data. Furthermore, ensuring that your site is using the most up-to-date version of Drupal is very important regardless of any critical vulnerabilities, to ensure the ongoing security of the site.
The good news is that for our current clients, you don’t have to worry - we’ve already got you covered! Our team patched every affected site we oversee immediately after the update came out.
If you’re not currently an Indulge client, we can help you keep on top of these upgrades. To make this easier, we have recently introduced a new patching programme, consisting of 2 options:
Option 1 - Proactive Patching
With this approach we manage the process of patching your site so you that don't have to worry about it. We'll keep track of new releases, test them thoroughly and roll them out to your website on a regular basis, ensuring that everything is fully up to date and secure. If your site did get compromised, we would be on it straight away and would resolve the issue at no extra cost.
Option 2 - Pay As You Go Patching
We also offer the option to offer you a quote for each patch as and when they are released. This covers the full deployment and testing of the patch. Depending on which version of Drupal you are running, updates usually occur approximately once a month.
If you would like any more information about the services we offer, please get in touch.
More Info
- Drupal core security advisory SA-CORE-2018-002: https://www.drupal.org/sa-core-2018-002
- Drupal security update release page: https://www.drupal.org/taxonomy/term/100
