Drupal developers fixed critical vulnerability (CVE-2019-6342) in their CMS, which could be used to fully capture control of a vulnerable site.The problem threatened only Drupal 8.7.4, Drupal 8.7.3 and earlier versions, so, Drupal 8.6.x, Drupal 7.x and earlier versions of these branches were not affected by the bug.
Developers explain that the bug is associated with the experimental Workspaces module. If it is included in Drupal 8.7.4, are created conditions for bypassing protection.
Vulnerability was fixed in the Drupal 8.7.5 release. It is emphasized that the fix will only apply to vulnerable sites running update.php. Its inclusion is a mandatory step that will need to be done manually when upgrading to Drupal 8.7.5.
“Sites with the Workspaces module enabled need to run update.php to ensure cache cleaning. If you use a reverse proxy cache or content delivery network (for example, Varnish, CloudFlare), it is also advisable to clear them”, — warned in Drupal.
Developers recommend that users update CMS to version 8.7.5 as quickly as possible, since an attacker simply has to go to a specific URL to attack a vulnerable resource and interact with the site without any registration or authentication. Fortunately, there is no exploit for CVE-2019-6342 yet, so administrators have time to upgrade.
If, for some reason, the installation of the update is not possible, it is recommended that you at least disable the vulnerable Workspaces module.
Currently, according to official data, 290,958 sites use Drupal 8.x (out of 1,093,220 sites). Moreover, the developers recognize that these statistics are incomplete: they included only sites that use the Update Status module. This module has been included in Drupal since version 6.x, so statistics simply do not cover older resources.
Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert urging Drupal administrators and users to upgrade to the patched Drupal 8.7.5 version.
Mitigation measures are also available for admins who cannot immediately update the Drupal installation on their servers, with the simplest way to do it being the disabling of the Workspaces module for affected sites.
User Review( votes)