The Drupal CMS team has released a security update to address a critical severity access bypass vulnerability in the CMS’ core component. It could allow attackers to take control of impacted sites.
So, what are the details and how can you protect your site against this vulnerability?
In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.
Only a limited set of websites running on the Drupal CMS are affected. According to the security advisory given, the security issue only affects the Drupal 8.7.4 version, with Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x not affected.
Drupal 8.7.5, which patches the vulnerability, was issued today. It fixes the access bypass bug tracked as CVE-2019-6342, thus allowing admins to quickly patch their servers to protect them from potential attacks.
More importantly, according to the Drupal development team, the fix will ONLY be applied for affected websites where update.php is running — this is a required manual step when upgrading to Drupal 8.7.5.
Updating to the 8.7.5 is very important. Attackers could leverage the vulnerability by visiting n URL and no registration or authentication level is required to abuse the impacted websites.
Luckily, an exploit for this vulnerability is not yet available. However, in the event that one will be developed, most sites running on Drupal 8.7.4 will be exposed to attacks given that “default or common module configurations are exploitable.”
Mitigation measures are also available for admins who cannot immediately update the Drupal installation on their servers. The simplest way to do this is by disabling the Workspaces module for affected sites.
Explore UKFast’s range of security solutions and ensure your business is protected from cyber-threats.