AES - Critical - Unsupported

* Advisory ID: DRUPAL-SA-CONTRIB-2017-027
* Project: AES encryption (third-party module)
* Version: 7.x, 8.x
* Date: 2017-March-01


This module provides an API that allows other modules to encrypt and decrypt
data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An
attacker who gains access to data encrypted with this module could decrypt it
more easily than should be possible. The maintainer has opted not to fix
these weaknesses. See solution section for details on how to migrate to a
supported and more secure AES encryption module.


* All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption
module, there is nothing you need to do.


If you're using the AES only because Drupal Remote Dashboard (DRD) and
Drupal Remote Dashboard Server (DRD Server) depend on it, then update to
the latest versions of DRD or DRD Server and disable the AES module -- those
modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES

* If you don't have a recent backup, make a backup of your site's database
and codebase. Consider taking your site offline (e.g. using Drupal's
maintenance mode) as some features may not work properly during this
upgrade process.
* *Do NOT follow the normal uninstall process for the AES module.* The
uninstall process would delete your encryption key and make it impossible
to recover your data! Instead, disable the module and delete the AES
module directory *without uninstalling the module.*
* Download and extract the latest release of Real AES
* Download and extract the latest release of Key
* Enable the Real AES, Key and AES compatibility modules
* Use the Key module to create a new 128-bit encryption key with the
name "Real AES Key".
* Clear all your Drupal caches.
* Modules that depend on AES and store encrypted data will continue to
function as normal. They should decrypt and re-encrypt any stored data.
The Real AES module provides some functions from the AES module (like,
aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page:

Add new comment