The security audit team at Drupal has released a critical patch for the popular content management system. The patch will fix a bug named Drupalgeddon2, discovered by Jasper Mattson – an employee of Drupal. According to Drupal, the attackers can make use of the loophole to execute remote code that allows them to exploit multiple attack vectors on sites that use the content management system, which could result in the site being completely compromised.

Hackers can simply visit a targeted site with an outdated version of Drupal, execute a code which will allow them to modify or delete data remotely, injecting scripts into sites to steal user’s CPU/GPU power to mine bitcoin. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild. If you haven’t update already, you should drop everything you’re doing and update now.

Update Details

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and they don’t normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Older version of Drupal version 6 is also affected. Contact DLTS Vendor if you need support.

Posted by Scott

Hi, I’m Scott! As CEO, President and co-founder I oversee all executive operations. Having held the position for just over 8 years, BigScoots has grown substantially in that time and forced me to adapt and relearn the industry many times over. I am responsible for all vendor partnerships, business forecasting and working directly with customers to learn what BigScoots does well and how we can improve. I hold a degree in Cellular and Molecular Biology and when not in Chicago or travelling, I’m in London with my wife and pet cat Jack.