SA-CORE-2013-002 - Drupal core - Denial of service

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

• CVE-2013-0316

Versions affected

• Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

• Bèr Kessels
• aBrookland
• Chad Fennell

Fixed by

• Damien Tournoud of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team
• Bèr Kessels

Coordinated by

• David Rothstein of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team