Drupal fixed a critical vulnerability that could be used to hijack sites

by Brendan Smith
February 17, 2021
drupal bug fixed
Written by Brendan Smith

Drupal developers fixed critical vulnerability (CVE-2019-6342) in their CMS, which could be used to fully capture control of a vulnerable site.

The problem threatened only Drupal 8.7.4, Drupal 8.7.3 and earlier versions, so, Drupal 8.6.x, Drupal 7.x and earlier versions of these branches were not affected by the bug.

Developers explain that the bug is associated with the experimental Workspaces module. If it is included in Drupal 8.7.4, are created conditions for bypassing protection.

Vulnerability was fixed in the Drupal 8.7.5 release. It is emphasized that the fix will only apply to vulnerable sites running update.php. Its inclusion is a mandatory step that will need to be done manually when upgrading to Drupal 8.7.5.

“Sites with the Workspaces module enabled need to run update.php to ensure cache cleaning. If you use a reverse proxy cache or content delivery network (for example, Varnish, CloudFlare), it is also advisable to clear them”, — warned in Drupal.

Developers recommend that users update CMS to version 8.7.5 as quickly as possible, since an attacker simply has to go to a specific URL to attack a vulnerable resource and interact with the site without any registration or authentication. Fortunately, there is no exploit for CVE-2019-6342 yet, so administrators have time to upgrade.

If, for some reason, the installation of the update is not possible, it is recommended that you at least disable the vulnerable Workspaces module.

Currently, according to official data, 290,958 sites use Drupal 8.x (out of 1,093,220 sites). Moreover, the developers recognize that these statistics are incomplete: they included only sites that use the Update Status module. This module has been included in Drupal since version 6.x, so statistics simply do not cover older resources.

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert urging Drupal administrators and users to upgrade to the patched Drupal 8.7.5 version.

Mitigation measures:

Mitigation measures are also available for admins who cannot immediately update the Drupal installation on their servers, with the simplest way to do it being the disabling of the Workspaces module for affected sites.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

View all posts

Leave a Reply

Sending