Developers with Drupal patched three vulnerabilities, one critical, one being exploited in the wild, in Drupal’s core engine on Wednesday.
> Drupal 7.56 and 8.3.4 are security releases. Update your sites. <https://t.co/ik3TB2YJtt> > > — Drupal Security (@drupalsecurity) June 21, 2017
The most pressing issue addressed by the update, which brings Drupal 8 to version 8.3.4 and Drupal 7 to Drupal 7.56, could have led to code execution, the content management software’s security team warned. The YAML parser in Drupal 8, PECL, failed to handle PHP objects safely during operations with Drupal Core, according to the advisory. That could have opened it up to remote code execution.
A separate, less critical issue, also existed in Drupal 8. Until it was fixed, the file REST resource failed to properly validate fields when manipulating files. Only select sites were vulnerable, Drupal says. A site would had to have had RESTful Web Services module enabled, the file REST resource enabled, and allowed PATCH requests. On top of that an attacker would have had to been able to register a user account on said site, with permissions to upload files and to modify the file resource.
The last bug affected both Drupal 7 and Drupal 8 and was being exploited by attackers for spam purposes in the wild, the advisory reads. The issue, only marked moderate criticality by developers, was an access bypass vulnerability at its crux.
“Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users,” the advisory reads, “Drupal core did not previously provide this protection.”
The vulnerability only affects sites that allow anonymous users to upload files into a private system.
It’s the first set of updates for Drupal since April, when the CMS fixed another access bypass vulnerability in its core engine. The service said at the time websites were vulnerable under certain conditions. Similar to the REST resource bug fixed this week, April’s bug only affected sites that had RESTful Web Services module enabled and sites that allowed attackers to get or register a user account.
As it’s a security update, Drupal is strongly recommending users on 7.x running versions prior to 7.56, and 8.x, prior to 8.3.4, to update to the latest versions.