Network Security, Patch/Configuration Management, Vulnerability Management

Drupal software update patches highly critical RCE bug


The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework.

"Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases," the advisory warns.

The vulnerability, CVE-2019-6340, only affects websites if they have the Drupal 8 core RESTful Web Services (rest) module enabled and module allows PATCH or POST requests, or if they have another web services module enabled, including JSON:API in Drupal 8 or Servicesor RESTful Web Services in Drupal 7.

Users of Drupal 8.6.x should upgrade to Drupal 8.6.10, while users of Drupal 8.5.x and earlier should switch to Drupal 8.5.11. Website operators are also advised to apply updates to certain Drupal contributed projects, even if they are using Drupal 7.

For an immediate workaround that mitigates the issue, "you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources," the advisory continues.

Samuel Mortenson of the Drupal Security Team is credited with the RCE flaw's discovery.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.