Drupal Remote Code Execution Vulnerability CVE-2018-7600

April 3, 2018

The Drupal Security Team has announced a highly critical remote code execution vulnerability in Drupal that was identified by Jasper Mattsson.

If you use Drupal, you must upgrade your Drupal installations or else your apps will likely be compromised.

For users with vulnerable Drupal apps, we've sent you an email with details of which apps are vulnerable and need to be upgraded.

According to Drupal's FAQ for this vulnerability:

How difficult is it for the attacker to leverage the vulnerability?
None (user visits page).

What privilege level is required for an exploit to be successful?
None (all/anonymous users).

Does this vulnerability cause non-public data to be accessible?
All non-public data is accessible.

Can this exploit allow system data (or data handled by the system) to be compromised?
All data can be modified or deleted.

Putting a Drupal app in maintenance mode does not mitigate this vulnerability.

To fix this vulnerability, you must upgrade to the following Drupal versions.

  • Drupal 8.5: upgrade to Drupal 8.5.1
  • Drupal 8.4: upgrade to Drupal 8.4.6
  • Drupal 8.3: upgrade to Drupal 8.3.9
  • Drupal 8.2: no longer supported, upgrade to 8.3.9
  • Drupal 7: upgrade to Drupal 7.58
  • Drupal 6: Apply the patch

See Drupal's instructions for information on how to upgrade Drupal 7 and Drupal 8.

Don't hesitate to contact us if you have any questions.