Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

Project: Drupal core
Date: 2018-April-25
Security risk: *Critical* 17∕25
Vulnerability: Remote Code Execution

For Drupion customers

Please make sure to have your website covered by our auto-update feature as described on https://www.drupion.com/blog/automatic-drupal-core-updates-website-basis.... If for some reason you prefer not to enable the autoupdate feature, then please ask your developers to perform this security update as soon as possible. Alternatively, you can file a support request on https://dashboard.drupion.com and we will gladly update your websites.

Description

A remote code execution vulnerability exists within multiple subsystems of
Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple
attack vectors on a Drupal site, which could result in the site being
compromised. This vulnerability is related to Drupal core - Highly critical -
Remote Code Execution - SA-CORE-2018-002. While SA-CORE-2018-002 is being
exploited in the wild, this vulnerability is not known to be in active
exploitation as of this release.

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

* If you are running 7.x, upgrade to Drupal 7.59.
* If you are running 8.5.x, upgrade to Drupal 8.5.3.
* If you are running 8.4.x, upgrade to Drupal 8.4.8.

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

* Patch for Drupal 8.x (8.5.x and below)
* Patch for Drupal 7.x

These patches will only work if your site already has the fix from
SA-CORE-2018-002 applied.

Add new comment