A highly critical vulnerability in Drupal 8 core and several Drupal 7 contributed modules discovered: CVE-2019-6340

The Drupal security team has announced the discovery of a highly critical remote code execution vulnerability and the release of the latest version of Drupal 8 to patch the critical vulnerability which could allow remote attackers to hack Drupal sites.

The vulnerability in question is a critical remote code execution (RCE) flaw in Drupal Core that could lead to arbitrary PHP code execution in some cases. It should be noted that only Drupal 8 sites with the RESTful Web Services (rest) or JSON:API modules enabled allowing PATCH or POST requests, or Drupal 7 sites with Services or RESTful Web Services modules enabled are affected.

To immediately mitigate the vulnerability, you should either update your Drupal 8 site's core and the respective Drupal 7 contributed modules or just can disable all web services modules, or request us to re-configure Apache on your AltaGrade server to not allow PUT/PATCH/POST requests to web services resources. However, considering the popularity of Drupal exploits among hackers, you are highly recommended to install the latest updates:

The Drupal security team also said that the Drupal 7 Services module itself does not require an update at this moment, but users should still consider applying other contributed updates associated with the latest advisory if "Services" is in use:

Please note that provided you have opted in for automatic core updates, all the cores for Drupal 8 and Drupal 7 websites hosted on our new AltaGrade and old Drupion servers have already been updated. However, please pay special attention that for the contributed modules customers' technical departments or their developers need to run necessary updates or create tickets on AltaGrade or Drupion dashboards requesting us to perform updates instead.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.