cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001)
Chronological Thread
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001)
- Date: Fri, 18 Jan 2019 10:33:27 -0500
CI Operators:
Drupal's maintainers announced two new critical vulnerabilities [1][2]. The first is an issue with the third-party library pear Archive_Tar [3] which deserializes untrusted data without verifying integrity and also fails to check attribute controls prior to updating objects [4]. The second issue is related to a vulnerability present in PHP’s stream wrapper.
Impact:
Both vulnerabilities can lead to remote code execution, where a malicious actor could modify or delete files.
Recommendation:
Upgrade to the latest version of Drupal 7 or 8.
Drupal 8.6.6 : https://www.drupal.org/project/drupal/releases/8.6.6
Drupal 8.5.9 : https://www.drupal.org/project/drupal/releases/8.5.9
Drupal 7.62 : https://www.drupal.org/project/drupal/releases/7.62
Affected Software:
Drupal 8.6.x < 8.6.5
Drupal 8.5.x < 8.5.8 (Note, versions of Drupal 8 prior to 8.5.x are end-of-life.)
Drupal 7.x < 7.61
References:
[1] https://www.drupal.org/sa-core-2019-001
[2] https://www.drupal.org/sa-core-2019-002
[3] https://pear.php.net/package/Archive_Tar/
[4] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001), Andrew K Adams, 01/18/2019
Archive powered by MHonArc 2.6.24.