Wednesday, March 28, 2018

Drupal 8.5.1 and 7.58 highly critical releases

[Update] Open Atrium (a Drupal distribution) and CiviCRM (CMS integration with Drupal) are are also affected by this vulnerability. Make sure that your deployment is updated to the latest version.

--

Drupal has released a new version that fixes a highly critical security vulnerability. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

The vulnerability fixed in the latest version of Drupal is the following:

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. More information can be found on the Drupal website here: https://www.drupal.org/sa-core-2018-002

It is recommended that you upgrade your Drupal application to Drupal 7.58 or later and Drupal 8.5.1 or later. You can follow our documentation to learn how to upgrade your application and ensure its security.

If you are unable to update immediately, and have advanced Drupal administration skills you you may opt to patch your systems until such time as you are able to completely update. The Drupal community has provided patches which can be applied using the following procedure:

Download the correct patch for your system based on the version of Drupal in use.

For Drupal 7.x:

wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5'

For Drupal 8.5.x:

wget -O drupal.patch 'https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f'

2. Apply the patch:

sudo git apply /opt/bitnami/apps/drupal/htdocs/drupal.patch

3. Restart the Apache web server:

sudo /opt/bitnami/ctlscript.sh restart apache

Patching is a temporary solution until you find the time to perform a complete upgrade of your Drupal installation.

For new application deployments, including the Bitnami Launchpad, we are releasing Drupal 7.58 and 8.5.1 containers, installers, virtual machines and cloud images that include the fix to address this vulnerability. If you deploy Bitnami Drupal and it is not yet updated to its latest version, you will need to upgrade by following our documentation.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.