Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Drupal Remote Code Execution Vulnerability (CVE-2018-7602)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Drupal Remote Code Execution Vulnerability (CVE-2018-7602)


Chronological Thread  
  • From: Warren Raquel <wraquel@illinois.edu>
  • To: <cv-announce@trustedci.org>
  • Subject: [cv-announce-l] Drupal Remote Code Execution Vulnerability (CVE-2018-7602)
  • Date: Thu, 26 Apr 2018 08:36:30 -0500
  • Organization: National Center for Supercomputing Applications

CI Operators:

A highly critical remote code execution vulnerability exists within multiple
subsystems of Drupal 7.x and 8.x [1]. This potentially allows attackers to
exploit multiple attack vectors on a Drupal site, which could result in the
site being compromised. This vulnerability is related to a previously
reported vulnerability in Drupal core, SA-CORE-2018-002 [2]. Both the
previous vulnerability and this vulnerability are being exploited in the wild.

Trusted CI is aware that some sites affected by the previous vulnerability
have since patched. Please note that SA-CORE-2018-004 was released April 25,
2018 and sites should again patch as soon as possible.

Remediation
Trusted CI recommends upgrading to Drupal version 7.59 [3] or version 8.5.3
[4].

Mitigation
If upgrading is not possible, mitigation patches are available on the Drupal
site for version 7.x [5] and version 8.x [6].

References:
[1] https://www.drupal.org/sa-core-2018-004
[2] https://www.drupal.org/sa-core-2018-002
[3] https://www.drupal.org/project/drupal/releases/7.59
[4] https://www.drupal.org/project/drupal/releases/8.5.3
[5]
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0
[6]
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e

How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to each
cyberinfrastructure deployment. Trusted CI can not provide a
one-size-fits-all severity rating and response recommendation for all NSF
cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you
need assistance with assessing the potential impact of this vulnerability in
your environment and/or you have additional information about this issue that
should be shared with the community.

Attachment: signature.asc
Description: OpenPGP digital signature



  • [cv-announce-l] Drupal Remote Code Execution Vulnerability (CVE-2018-7602), Warren Raquel, 04/26/2018

Archive powered by MHonArc 2.6.24.

Top of Page