Security Vulnerabilities: SA-CORE-2019-003 - Drupal 8 Core, Drupal 7 plugins

SA-CORE-2019-003 - Highly critical - Remote Code Execution

Popular CMS platform Drupal recently announced a highly critical security vulnerability: SA-CORE-2019-003. This vulnerability allows for remote code execution on an exploited server. It is rated Highly Critical and mass exploits are now being reported in the wild!

It primarily applies to Drupal 8 Core, specifically if the RESTful API is enabled. However, it also applies to Drupal 7 if you have some specific REST API related plugins.

Drupal 8 - Update Now

Whilst the TurnKey Drupal 8 appliance ships with the RESTful API disabled, it's trivial to enable. Even if you are not using it, you should definitely update if you are using any API related plugins, such as JSON:API.

All Drupal 8 users are encouraged to update regardless. So if you haven't already, you are strongly advised to update to a supported version of Drupal 8 ASAP. Currently supported versions of Drupal 8 are 8.5.11 and 8.6.10. All other versions of Drupal 8 are EOL and no longer supported.

TurnKey Drupal 8 v15.0 & v15.1 users should at least update to 8.5.11, although updating to 8.6.10 is advised where possible. Users of newer TurnKey Drupal 8 appliances (v15.2 - v15.4) all came out with Drupal 8.6.x and are advised to update to 8.6.10. Options for updating Drupal 8 are covered in the Drupal 8 docs.

Drupal 7 - Check for Plugin Security updates

Drupal 7 Core is not affected so no Core update is required. Again, none of the default TurnKey configuration is problematic. However, due to the severe nature of the vulnerability, users are encouraged to check their plugins for security updates. A plugins of particular note is RESTful Web Services and any other plugins which provide an API.

Updated Drupal 8 appliance coming soon

I hope to release an updated Drupal 8 appliance within the coming week. I have disabled the TurnKey Drupal 8 appliance page until we have rebuilt our appliance to include the supported version. You can assume that if the link works (instead of giving a "You are not authorized to access this page." message), that the app has been updated.

If you need a Drupal 8 appliance in the meantime, you can download from our mirror, however, you will need to ensure that you complete the update ASAP.

Need more assistance?

If you need any further assistance updating, please post below in the comments, or open a new thread in our support section (TurnKey forum account required). We'll do our best to help out.

Add new comment