The Drupal security team is urging users of its open-source content management platform to update the core software, or at the very least install the latest patches, as hackers are now actively exploiting a critical vulnerability.
A remote code execution vulnerability recently found in Drupal versions 7.x and 8.x allows bad actors to exploit multiple attack vectors on a Drupal site. Drupal found that this vulnerability is related to an older vulnerability (Drupal Core – Highly critical – Remote Code Execution – SA-CORE-2018-002).
“For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days,” reads an advisory on the Drupal.org site.
An update to the advisory says that both flaws are now being exploited in the wild.
Users are told to upgrade to the most recent version of Drupal 7 or 8 core – Drupal 7.59, Drupal 8.5.3, and Drupal 8.4.8, respectively. Users of Drupal 8.4.x are being notified that their version is no longer supported, and the team doesn’t normally patch unsupported software, but they made an exception this time.
“We are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible,” the team writes.
Users unable to update their core Drupal installation for the time being can apply a patch to fix the vulnerability until they can update completely. The patches can be found here. Users are warned that the patches will only work if their site already has the fix from SA-CORE-2018-002 applied.
“If your site does not have that fix, it may already be compromised,” Drupal says.