[Drupal] [DISTCONS] Drupal Highly Critical Vulnerability
Runals, Mark C.
runals.3 at osu.edu
Tue Mar 27 16:52:10 EDT 2018
To follow up on Jason’s email - While the full nature of the vulnerability and possible method(s) of exploit are not known at this time, Enterprise Security similarly recommends testing and then patching your Drupal sites soon after the patch becomes live. Once the full information is made public tomorrow we will assess how closely Enterprise Security should be involved in tracking patch progress and/or actively helping units through the site identification and patch processes.
For subscribers of the Enterprise Security Vulnerability Scanning service we are working within Security Center to help provide some visibility into existing Drupal sites and additional Nessus plugins once they are released. Communications along those lines will be forthcoming through the normal Vuln Scan service communication channels.
If you have questions related to this, please send an email to vulnerabilities at osu.edu<mailto:vulnerabilities at osu.edu>
Mark
--
Mark Runals
Associate Director – Security Operations
The Ohio State University
Enterprise Security
runals.3 at osu.edu<mailto:runals.3 at osu.edu>
614/688-8681
From: DISTCONS <distcons-bounces+runals.3=osu.edu at lists.osu.edu> on behalf of "Little, Jason P." <little.129 at osu.edu>
Date: Tuesday, March 27, 2018 at 8:23 AM
To: "drupal at lists.service.ohio-state.edu" <drupal at lists.service.ohio-state.edu>, "distcons at lists.service.ohio-state.edu" <distcons at lists.service.ohio-state.edu>
Subject: [DISTCONS] Drupal Highly Critical Vulnerability
All,
This Wednesday @2-4pm, Drupal will be releasing an update for a previously undisclosed highly critical vulnerability impacting Drupal 7 and 8.
Official PSA
https://www.drupal.org/psa-2018-001
This severity is used for remote execution<https://www.drupal.org/drupal-security-team/security-risk-levels-defined> bugs which can be used to compromise a site.
The last time there was a major vulnerability like this, exploit scanners were running at large scale within hours of the disclosure. The Drupal security team issued a follow-up PSA<https://www.drupal.org/forum/newsletters/security-public-service-announcements/2014-10-29/drupal-core-highly-critical> saying that anyone who did not patch within 7 hours should proceed with the assumption that their site had been compromised.
If you go home Wednesday night before patching Drupal, you could easily come in Thursday to a hacked site so…
Patch up!
Best,
Jason Little
University Marketing
PS. If, after Wednesday, you’re trying to determine if you are patched, you can usually look at the Drupal core CHANGELOG for your site to determine the exact version number.
D8: http://insights.osu.edu/core/CHANGELOG.txt
D7: https://odee.osu.edu/CHANGELOG.txt
The actual vulnerability, along with the updated version numbers for 7.x, 8.3.x, 8.4.x, and 8.5.x should all be announced here.
https://www.drupal.org/security
Some people might apply a code patch instead of upgrading the version in which case a site *could* be safe with an old changelog. However, this is generally rare.
Also note that it can take a couple of hours from the initial release to test and deploy these patches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/drupal/attachments/20180327/42d78788/attachment.html>
More information about the Drupal
mailing list