Security Vulnerabilities: SA-CORE-2018-005 - Drupal 8.x & CVE-2018-14773 - Symfony

UPDATE: An updated v15.1 Drupal 8 appliance has been released. Read more here (part of the v15.0 stage 3 announcement).

SA-CORE-2018-005 - Drupal 8

Popular CMS platform Drupal recently announced that versions of Drupal 8 prior to 8.5.6 are affected by SA-CORE-2018-005 / CVE-2018-14773 (more CVE details below). Drupal 8 uses components from the Symfony framework so is affected by this Symfony bug.

Unfortunately, this includes our recently published v15.0 Drupal 8 appliance. All users of Drupal 8 are reminded that all versions prior to v8.5.6 are NO LONGER SUPPORTED.

Drupal 8 users are encouraged to update ASAP. Details on how to upgrade can be found in the Drupal 8 docs. An updated TurnKey Drupal 8 appliance will be released soon.

Please note that Drupal 7 is NOT AFFECTED by this bug.

CVE-2018-14773 - Symfony

As hinted above, a vulnerability which affects all versions of popular framework Symfony was recently announced. Essentially the bug allows attackers to bypass some security measures that admins may be using to restrict access to specific URLs. Some additional details and links are noted on the (US) National Vulnerability Database.

Symfony users are encouraged to update to a secure version as soon as possible. The Symfony docs cover both minor and major version upgrades. Users of supported versions can just do a minor upgrade, users of unsupported versions should upgrade to a supported version (via major version upgrade) ASAP. An updated TurnKey Symfony appliance will be released soon.