A highly critical vulnerability in Drupal 8 core and several Drupal 7 contributed modules discovered: CVE-2019-6340
The Drupal security team has announced the discovery of a highly critical remote code execution vulnerability and the release of the latest version of Drupal 8 to patch the critical vulnerability which could allow remote attackers to hack Drupal sites.
The vulnerability in question is a critical remote code execution (RCE) flaw in Drupal Core that could lead to arbitrary PHP code execution in some cases. It should be noted that only Drupal 8 sites with the RESTful Web Services (rest) or JSON:API modules enabled allowing PATCH or POST requests, or Drupal 7 sites with Services or RESTful Web Services modules enabled are affected.
To immediately mitigate the vulnerability, you should either update your Drupal 8 site's core and the respective Drupal 7 contributed modules or just can disable all web services modules, or request us to re-configure Apache on your AltaGrade server to not allow PUT/PATCH/POST requests to web services resources. However, considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest updates:
- If you are using Drupal 8.6.x, upgrade your website to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade your website to Drupal 8.5.11.
- Be sure to install any available security updates for contributed projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
The Drupal security team also said that the Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying other contributed updates associated with the latest advisory if "Services" is in use:
- Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025
- Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024
- Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023
- Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022
- Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021
- Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020
- JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019
- RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018
Please note that provided you have opted in for automatic core updates, all the cores for Drupal 8 and Drupal 7 websites hosted on our new AltaGrade and old Drupion servers have already been updated. However, please pay special attention that for the contributed modules customers' technical departments or their developers need to run necessary updates or create tickets on AltaGrade or Drupion dashboards requesting us to perform updates instead.