The security audit team at Drupal has released a critical patch for the popular content management system. The patch will fix a bug named Drupalgeddon2, discovered by Jasper Mattson – an employee of Drupal. According to Drupal, the attackers can make use of the loophole to execute remote code that allows them to exploit multiple attack vectors on sites that use the content management system, which could result in the site being completely compromised.
Hackers can simply visit a targeted site with an outdated version of Drupal, execute a code which will allow them to modify or delete data remotely, injecting scripts into sites to steal user’s CPU/GPU power to mine bitcoin. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. If you haven’t update already, you should drop everything you’re doing and update now.
Update now — Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 — https://t.co/uwzodrmegc
— Drupal Security (@drupalsecurity) March 28, 2018
- If you are running 7.x, upgrade to Drupal 7.59.
- If you are running 8.5.x, upgrade to Drupal 8.5.3.
- If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and they don’t normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)
If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:
Older version of Drupal version 6 is also affected. Contact DLTS Vendor if you need support.