Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003

Drupal 8.3.4 and Drupal 7.56, are maintenance releases which contain fixes for security vulnerabilities.

Please be informed all Drupal 8 and 7 website's cores and core modules on Drupion platform will be updated automatically unless otherwise was specifically requested by customer. So if you are a Drupion customer, then never worry about this security advisory. However, if you requested not to update the Drupal 8 or 7 core on your Drupion server, then please read further.

Updating your existing Drupal 8 and 7 sites is strongly recommended. This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.4 release notes and the 7.56 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.

* Advisory ID: DRUPAL-SA-CORE-2017-003
* Project: Drupal core
* Version: 7.x, 8.x
* Date: 2017-June-21
* Multiple vulnerabilities

DESCRIPTION

PECL YAML parser does not handle PHP objects safely during certain operations
within Drupal core. This could lead to remote code execution.

The file REST resource does not properly validate some fields when
manipulating files. A site is only affected by this if the site has the
RESTful Web Services (rest) module enabled, the file REST resource is enabled
and allows PATCH requests, and an attacker can get or register a user account
on the site with permissions to upload files and to modify the file resource.

Private files that have been uploaded by an anonymous user but not
permanently attached to content on the site should only be visible to the
anonymous user that uploaded them, rather than all anonymous users. Drupal
core did not previously provide this protection, allowing an access bypass
vulnerability to occur. This issue is mitigated by the fact that in order to
be affected, the site must allow anonymous users to upload files into a
private file system.

The security team has also received reports that this vulnerability is being
exploited for spam purposes, similar to the scenario discussed in
PSA-2016-003 for the public file system.

VERSIONS AFFECTED

* Drupal core 7.x versions prior to 7.56
* Drupal core 8.x versions prior to 8.3.4

SOLUTION

Install the latest version:

* If you use Drupal 7.x, upgrade to Drupal core 7.56
* If you use Drupal 8.x, upgrade to Drupal core 8.3.4

Comments

Evans Gikunda's picture

Thank you for giving us heads up!

Add new comment