SA-CORE-2019-003 can lead to arbitrary PHP code execution if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests.
- The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.
Learn more about this vulnerability in the Drupal official announcement.
Bitnami images are not affected since none of our solutions meet the conditions above, but it is recommended to upgrade your Drupal application to Drupal 8.6.10 or later. You can follow our documentation to learn how to upgrade your application to strengthen its security. We highly recommend creating a backup before performing the upgrade.
For new application deployments, including the Bitnami Launchpad ones, we have released Drupal 8.6.10 for containers, installers, virtual machines, cloud images, and Multi-Tier solutions. If you deploy any of these solutions and they have not yet been updated to the latest version, you will need to follow the upgrade process described in our documentation.
If you have further questions about this security issue, please post to our community forum, where we will be happy to help.