Drupal critical flaw: Patch this remote code execution bug urgently, websites warned

Site admins running Drupal should disable all web services until security updating is complete.
Written by Liam Tung, Contributing Writer

The Drupal project is urging website admins to install updates immediately after disclosing a highly critical remote code execution bug affecting the Drupal core CMS. 

The bug was considered serious enough for Drupal's security team to warn admins a day in advance of Wednesday's patch release to reserve time to address the bug. 

Drupal is the third most popular CMS for website publishing, accounting for about three percent of the world's billion-plus websites. Hackers could use the flaw, tracked as CVE-2019-6340, to hijack a Drupal site and potentially take control of a web server.     

According to Drupal, the bug is due to some file types not properly sanitizing data from non-form sources, such as RESTful web services. This failing can lead to arbitrary PHP code execution, it warns. 

Until an update to a secure version can be completed, admins can mitigate the bug by disabling all web services modules, according to Drupal's advisory. Admins could also mitigate the bug by disallowing PUT/PATCH/POST requests to web services resources. 

Affected branches of Drupal core include Drupal 8.6.x and Drupal 8.5.x and earlier. Admins should immediately upgrade to each branch's fixed versions, which are Drupal 8.6.10 and Drupal 8.5.11.   

Sites are only affected if the Drupal 8 core RESTful Web Services (rest) module is enabled and allows PATCH or POST requests. Also affected are sites with other web services modules enabled, such as JSON:API in Drupal 8, as well as the Service module or the RESTful Web Services module in Drupal 7. 

SEE: How to build a successful developer career (free PDF)    

Drupal warns that after updating Drupal core, admins will need to install security updates for several affected third-party Drupal projects. These include Font Awesome Icons, Translation Management Tool, Paragraphs, Video, Metatag, Link, JSON:API, and RESTful Web Services.     

Drupal 7 core doesn't actually need to be updated, but Drupal warns that some of the aforementioned third-party projects for Drupal 7 will need to be updated. 

The bug was discovered by the Drupal security team, so it's likely the bug has not yet been exploited in the wild. But given the severity of the bug and the pre-release alert, it would appear the project expects the bug could be exploited in the near future. 

Over recent months, hackers have been making use of Drupal sites that didn't install updates to address several 'Drupalgeddon 2' flaws that were disclosed last spring. The attacks mainly aimed to install cryptocurrency miners on affected web servers. 

The attackers had plenty of Drupal sites to work with. Research found over 100,000 sites were still running a versions of the CMS vulnerable to Drupalgeddon 2 bugs three months after fixed versions had been released.   

Previous and related coverage

Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers

Hacks could be easily avoided if people would patch their Drupal CMSs and Linux web servers.

Three-month-old Drupal vulnerability is being used to deploy cryptojacking malware

The update was deemed critical, but users who haven't applied the patch are being targeted by attackers deploying cryptocurrency miners.

Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks

The highly popular PHP 5.x branch will stop receiving security updates at the end of the year.

Over 115,000 Drupal sites still vulnerable to critical flaw

At least 1,885 vulnerable sites are in the Alexa top one million sites.

Drupal patches critical CMS vulnerabilities

The bugs include incorrect code handling and access bypass security flaws.

Hello Kitty: Malware targets Drupal to mine for cryptocurrency

The Kitty malware not only targets website servers and visitors but also leaves a cheeky note for cat lovers out there.

Drupalgeddon 2 wreaking havoc on 900+ sites because IT still hasn't applied updates TechRepublic

Despite the fact that the Drupal exploit was reported-and patched-in March 2018, some 115,000 websites are still vulnerable.

Google takes aim at imposter websites with new Chrome warning CNET

Because most people don't notice when they're at the wrong website.

Editorial standards