Network Security, Patch/Configuration Management, Vulnerability Management
Drupal software update patches highly critical RCE bug
The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework."Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases," the advisory warns.The vulnerability, CVE-2019-6340, only affects websites if they have the Drupal 8 core RESTful Web Services (rest) module enabled and module allows PATCH or POST requests, or if they have another web services module enabled, including JSON:API in Drupal 8 or Servicesor RESTful Web Services in Drupal 7.Users of Drupal 8.6.x should upgrade to Drupal 8.6.10, while users of Drupal 8.5.x and earlier should switch to Drupal 8.5.11. Website operators are also advised to apply updates to certain Drupal contributed projects, even if they are using Drupal 7.For an immediate workaround that mitigates the issue, "you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources," the advisory continues.Samuel Mortenson of the Drupal Security Team is credited with the RCE flaw's discovery.
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



