Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001)
  • Date: Fri, 18 Jan 2019 10:33:27 -0500

CI Operators:


Drupal's maintainers announced two new critical vulnerabilities [1][2].  The first is an issue with the third-party library pear Archive_Tar [3] which deserializes untrusted data without verifying integrity and also fails to check attribute controls prior to updating objects [4].  The second issue is related to a vulnerability present in PHP’s stream wrapper.


Impact:

Both vulnerabilities can lead to remote code execution, where a malicious actor could modify or delete files.


Recommendation:

Upgrade to the latest version of Drupal 7 or 8.

Drupal 8.6.6 : https://www.drupal.org/project/drupal/releases/8.6.6

Drupal 8.5.9 : https://www.drupal.org/project/drupal/releases/8.5.9

Drupal 7.62 : https://www.drupal.org/project/drupal/releases/7.62


Affected Software:

Drupal 8.6.x < 8.6.5

Drupal 8.5.x < 8.5.8 (Note, versions of Drupal 8 prior to 8.5.x are end-of-life.)

Drupal 7.x < 7.61


References:

[1] https://www.drupal.org/sa-core-2019-001

[2] https://www.drupal.org/sa-core-2019-002

[3] https://pear.php.net/package/Archive_Tar/

[4] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.




  • [cv-announce-l] Drupal - Vulnerability in Third Party Libraries (SA-CORE-2019-001), Andrew K Adams, 01/18/2019

Archive powered by MHonArc 2.6.24.

Top of Page