[LTER-im] Fwd: [cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006)

Mark Servilla mark.servilla at gmail.com
Thu Oct 25 11:30:37 PDT 2018


FYI for any site using Drupal.

Sincerely,
Mark

---
Mark Servilla
mark.servilla at gmail.com


---------- Forwarded message ---------
From: Terry Fleury <tfleury at illinois.edu>
Date: Thu, Oct 25, 2018 at 11:43 AM
Subject: [cv-announce-l] Drupal - Multiple Vulnerabilities
(SA-CORE-2018-006)
To: <cv-announce at trustedci.org>


CI Operators:

Drupal recently announced a list of five (5) vulnerabilities [1] in the
Drupal Core [2] code. Two (2) of these vulnerabilities are listed as
critical and can allow remote code execution (RCE) [3]. The first
critical vulnerability is due to PHP's DefaultMailSystem::mail()
back-end which allows unsanitized email variables for shell arguments.
The second critical vulnerability is specific to Drupal 8.x and is
related to unvalidated contextual links. However, in both cases it would
be difficult for an anonymous user to exploit the vulnerabilities.

Impact:
Sites running Drupal 7.x or 8.x based applications could be compromised
by users with appropriate permissions, resulting in execution of
arbitrary code.

Recommendation:
Upgrade to the latest version of Drupal 7 or 8.
Drupal 8.6.2 : https://www.drupal.org/project/drupal/releases/8.6.2
Drupal 8.5.8 : https://www.drupal.org/project/drupal/releases/8.5.8
Drupal 7.60  : https://www.drupal.org/project/drupal/releases/7.60

Affected Software:
Drupal 8.6.x < 8.6.2
Drupal 8.x.x < 8.5.8
Drupal 7.x < 7.60

References:
[1] https://www.drupal.org/sa-core-2018-006
[2] https://www.drupal.org/project/drupal
[3]
https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/

How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to
each cyberinfrastructure deployment. Trusted CI (formerly CTSC) can not
provide a one-size-fits-all severity rating and response recommendation
for all NSF cyberinfrastructure. Please contact us
(http://trustedci.org/help/) if you need assistance with assessing the
potential impact of this vulnerability in your environment and/or you
have additional information about this issue that should be shared with
the community.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lternet.edu/pipermail/im/attachments/20181025/9eb2ef40/attachment.html>


More information about the im mailing list