qertchina.blogg.se - Drupal core update vulnerability

DRUPAL CORE UPDATE VULNERABILITY INSTALL

No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.Ī super-quick remediation is to disable all web services modules, or configure your web server(s) to not allow PUT, PATCH, or POST requests to web services resources.

DRUPAL CORE UPDATE VULNERABILITY INSTALL

They further indicate that Drupal site owners should make sure to install any available security updates for contributed projects after updating Drupal core. If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.What can I do to secure my Drupal servers from CVE-2019-6340? NOTE: If you are running a version of Drupal older than 8.5.x, you must upgrade to 8.5.11 or 8.6.10 to fix this vulnerability.

They further indicate that “The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.”

The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or.

The Drupal Core team has identified a certain set of conditions necessary for a successful exploit: The vulnerability lies in the lack of field sanitization from non-form sources, which can result in arbitrary remote code execution on the Drupal server. 20, 2019, the Drupal Core team provided an early-warning update for the third Drupal Core Security Alert of 2019, which has been assigned CVE-2019-6340. Last updated at Fri, 13:54:25 GMT What do I need to know about the Drupal remote code execution vulnerability?