Thursday, April 26, 2018

Drupal 8.5.3 and 7.59 highly critical releases (SA-CORE-2018-004)

[Note] Open Atrium (a Drupal distribution) and CiviCRM (CMS integration with Drupal) are also affected by this vulnerability. Make sure that your deployment is updated to the latest version.


Drupal has released a new version that fixes a highly critical security vulnerability. We strongly recommend upgrading your existing Drupal 7 and 8 sites.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

It is recommended that you upgrade your Drupal application to Drupal 7.59 or later and Drupal 8.5.3 or later. We highly recommend creating a backup before proceeding. You can follow our documentation to learn how to upgrade your application and ensure its security.

If you are unable to update immediately and have advanced Drupal administration skills, you may opt to patch your systems until such time as you are able to completely update. The Drupal community has provided patches which can be applied using the following procedure:

1. Move to Drupal directory (assuming /opt/bitnami/ as installdir):
cd /opt/bitnami/apps/drupal/htdocs/

2. Download the correct patch for your system based on the version of Drupal in use.

- For Drupal 7.x:
wget -O drupal.patch ''

- For Drupal 8.5.x:
wget -O drupal.patch ''

3. Apply the patch:
sudo git apply /opt/bitnami/apps/drupal/htdocs/drupal.patch

4. Restart the Apache web server:
sudo /opt/bitnami/ restart apache

Patching is a temporary solution until you find the time to perform a complete upgrade of your Drupal installation. These patches will only work if your site already has the fix from SA-CORE-2018-002 applied.

For new application deployments, including the Bitnami Launchpad, we are releasing Drupal 7.59 and 8.5.3 containers, installers, virtual machines and cloud images that include the fix to address this vulnerability. If you deploy Bitnami Drupal and it is not yet updated to its latest version, you will need to upgrade by following our documentation.

If you have further questions about Bitnami Drupal or this security issue, please post to our community forum, where we will be happy to help.