Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006)


Chronological Thread  
  • From: Terry Fleury <tfleury@illinois.edu>
  • To: cv-announce@trustedci.org
  • Subject: [cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006)
  • Date: Thu, 25 Oct 2018 12:41:53 -0500

CI Operators:

Drupal recently announced a list of five (5) vulnerabilities [1] in the
Drupal Core [2] code. Two (2) of these vulnerabilities are listed as
critical and can allow remote code execution (RCE) [3]. The first
critical vulnerability is due to PHP's DefaultMailSystem::mail()
back-end which allows unsanitized email variables for shell arguments.
The second critical vulnerability is specific to Drupal 8.x and is
related to unvalidated contextual links. However, in both cases it would
be difficult for an anonymous user to exploit the vulnerabilities.

Impact:
Sites running Drupal 7.x or 8.x based applications could be compromised
by users with appropriate permissions, resulting in execution of
arbitrary code.

Recommendation:
Upgrade to the latest version of Drupal 7 or 8.
Drupal 8.6.2 : https://www.drupal.org/project/drupal/releases/8.6.2
Drupal 8.5.8 : https://www.drupal.org/project/drupal/releases/8.5.8
Drupal 7.60 : https://www.drupal.org/project/drupal/releases/7.60

Affected Software:
Drupal 8.6.x < 8.6.2
Drupal 8.x.x < 8.5.8
Drupal 7.x < 7.60

References:
[1] https://www.drupal.org/sa-core-2018-006
[2] https://www.drupal.org/project/drupal
[3]
https://nakedsecurity.sophos.com/2018/10/23/patch-now-multiple-serious-flaws-found-in-drupal/

How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate
response, depends in part on operational conditions that are unique to
each cyberinfrastructure deployment. Trusted CI (formerly CTSC) can not
provide a one-size-fits-all severity rating and response recommendation
for all NSF cyberinfrastructure. Please contact us
(http://trustedci.org/help/) if you need assistance with assessing the
potential impact of this vulnerability in your environment and/or you
have additional information about this issue that should be shared with
the community.


  • [cv-announce-l] Drupal - Multiple Vulnerabilities (SA-CORE-2018-006), Terry Fleury, 10/25/2018

Archive powered by MHonArc 2.6.24.

Top of Page