Drupal SA-CORE-2018-002 - Highly critical - Remote Code Execution vulnerability

Late last week, the Drupal Security Team announced a "Highly critical" remote code execution vulnerability that affects Drupal 6 (EOL), Drupal 7 and Drupal 8. SA-CORE-2018-002 dubbed "Drupalgeddon2" was discovered by Jasper Mattsson. Drupal scores it a whopping 21 (out of a possible 25) "Security Risk Level". All users are recommended to update their Drupal sites immediately.

Having said that, there are still no known exploits in the wild (at least none that I could find). Although, please don't let that give you any cause for procrastination on this! You need to update your Drupal appliance now! Please find notes below on making your Drupal site secure. Also please ensure that you have a current backup before you proceed. TKLBAM is a good option, but regardless of what backup tool you use, please ensure that you have tested your backup!

TurnKey v14.x (or v13.x) Drupal7 appliance

The secure version of Drupal 7 is v7.58. As all recent builds of the TurnKey GNU/Linux Drupal7 appliance have Drush (Drupal command line client) installed, the update should be fairly straight forward.

Special Note for v13.x users: Whilst v13.x is still currently supported with Debian security updates, technically, we no longer support it. Please be aware that the Debian security updates (via Debian LTS) end next month! If you are still running v13.x I strongly encourage you to update to v14.2 NOW!

Please ensure that you have a current backup before you do anything. TKLBAM is a great option here, although regardless of what you use, your should always test your backup to be sure everything is as it should be before you go ahead. I have tested this on a vanilla v14.2 Drupal7 appliance and it worked flawlessly, but please be aware, that as it had no user data, YMMV. I would expect that updates for v14.0/v14.1 (and v13.x too) should work exactly the same way, but I haven't 100% confirmed.

Update Drupal 7 to v7.58

To install security updates only (to apply all updates, exclude the --security-only switch) log into your appliance via SSH, then run the following:

drush pm-updatestatus
drush vset -y maintenance_mode 1
drush pm-update --security-only --simulate
drush pm-update --security-only
drush vset -y maintenance_mode 0

Patch Drupal 7

If you aren't in a position to immediately upgrade your Drupal 7 site to the latest secure version of Drupal 7, there is a patch which you can apply to get over the immediate concerns. Obviously, backing up your site before you proceed is still import!

The patch can be found here. To download it, right click in your web browser and "save as..." (or similar) 'sa-core-2018-002-7.patch'; then upload to the webroot of your server; /var/www/drupal7. Then SSH in and cd to the webroot. Then apply the patch as follows:

patch -p1 < sa-core-2018-002-7.patch

Additional notes on Drush in Drupal7 appliances

As an additional note, Drupal7 appliances came bundled with a global install of Drush 7.x. That version is no longer supported by Drush developers so you are recommended to also update that (although it isn't required for the Drupal 7 update and I'm not aware of any security related issues). You can find steps to upgrade to Drush 8.x on the Drupal7 appliance doc page.

TurnKey v14.x Drupal8 appliance

The secure and supported version of Drupal 8 is v8.5.1. If you have already updated Drupal to the latest 8.5.x branch, then you no doubt already know what to do to get it up to date. Personally, I have spent some time trying to update the v14.2 Drupal8 appliance to v8.5.x, but as there were some significant changes to Drupal between v8.3.x and v8.4.x, I haven't yet been able to figure it out, and don't want to delay this post any further. So I have provided 3 options and given as much info as I have to hand.

Option 1: Update Drupal 8 to v8.5.1

As noted above, I'm yet to successfully update our Drupal8 appliance to v8.5.1. However, if you wish to have a go at that, you may find @bormanst's comment on the relevant GitHub issue helpful. If you have anything further to add, especially any advice, please feel free to comment below, or on the GitHub issue itself.

Option 2: Update Drupal8 to latest 8.3.x (or 8.4.x) branch

Whilst technically Drupal 8.3.x is no longer supported, Drupal have released security update 8.3.9 for it, as well as an update for v8.4.x (8.4.6 - which is also technically no longer supported). In my opinion, if you already have 8.4.x installed, I'd recommend just updating to the supported 8.5.x branch, but YMMV.

According to the 8.3.9 release notes this release resolves the SA-CORE-2018-002 issue. TBH, I haven't tested extensively, but I did notice that the 8.3.9 release still complains that it has a "SECURITY UPDATE available"?! TBH, I'm not 100% sure... So to test, I updated to the 8.3.x-dev (essentially the very latest code; technically not a release) and it no longer complained. So if you are considering this path, I suggest you make sure to test everything thoroughly and make your own decision! I won't cover the 8.4.6 update, as I imagine you already know how to do that (you already got to 8.4.x yourself!).

Update Drupal 8.x.x (<8.4.x) to Drupal 8.3.9

drush pm-updatestatus
drush vset -y maintenance_mode 1
drush pm-update drupal-8.3.9
drush vset -y maintenance_mode 0

Update to Drupal 8.3.x-dev (currently 8.3.10-dev)

drush pm-updatestatus
drush vset -y maintenance_mode 1
drush pm-update drupal-8.3.x-dev
drush vset -y maintenance_mode 0

Option 3: Patch Drupal 8.3.x (or higher)

As noted above, whilst technically Drupal 8.3.x is no longer supported, Drupal have released a security update for it. Other than updating directly, Applying the patch is probably the quickest and easiest way to secure your Drupal8 appliance. So if you are running 8.3.x, I suggest that you apply the relevant patch ASAP to keep your Drupal8 appliance as secure as possible. You can then investigate upgrading to the supported v8.5.x branch. Even if you have already updated to v8.4.x (no longer supported) or even v8.5.x but don't have time immediately to upgrade to the latest supported version, then there are patches for these branches too.

Patch Drupal 8.3.x/8.4.x/8.5.x
Actually, it appears that the patch is exactly the same for all 8.3.x/8.4.x/8.5.x versions. So you will want to download the patch file by right clicking the ("patch file") link in your web browser and "save as..." (or similar) 'sa-core-2018-002-8.patch'. Then upload that file to the webroot of your server; /var/www/drupal8. Then SSH in and cd to the webroot. Then apply the patch like this:

patch -p1 < sa-core-2018-002-8.patch

Reversing a patch
If things go totally pear shaped, you can revert the patch like this:

patch -p1 -R < sa-core-2018-002-8.patch

Please note though, that if you revert the patch, you will be reverting the security fix!

TurnKey v13.x Drupal6 appliance

As noted above, Debian LTS security updates for v13.x end in about a month's time. As such, it is highly recommended that you update your appliance to v14.x. As all Drupal users should already know, Drupal 6 is EOL (end of life) as of Feb 24th 2016, so is no longer supported. However, if you are still running Drupal 6 and don't have immediate plans to upgrade, I strongly urge you to get in touch with one of the D6LTS vendors so you can secure your site! There is also a "semi-official" patch file here (although I have not tested it at all). Adjust the instructions above to apply the patch.

As we no longer provide a Drupal6 appliance, there is no immediate pathway to upgrade to v14.2, although you could do an "in place" Debian upgrade (i.e. to Debian Jessie). Alternatively, restoring a TKLBAM backup to a v14.x Drupal7 appliance (or perhaps even LAMP?) may be an option. Please note that I haven't tested it, and additional tweaks will likely be required.

Feedback always welcome

As per always, we love feedback and ideas on how we could do things better. If you have any suggestions, including (but not limited to) assistance with the upgrade to Drupal 8.5.x, please share in the comments below. Thanks.

Add new comment