Operating System:

[WIN][UNIX/Linux]

Published:

16 October 2014

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2014.1851 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1851
                          DRUPAL-SA-CORE-2014-005
                              16 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3704  

Original Bulletin: 
   https://www.drupal.org/SA-CORE-2014-005

- --------------------------BEGIN INCLUDED TEXT--------------------

   * Advisory ID: DRUPAL-SA-CORE-2014-005
   * Project: Drupal core [1]
   * Version: 7.x
   * Date: 2014-Oct-15
   * Security risk: 20/25 ( Highly Critical)
     AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
   * Vulnerability: SQL Injection

- -------- DESCRIPTION ---------------------------------------------------------

Drupal 7 includes a database abstraction API to ensure that queries executed
against the database are sanitized to prevent SQL injection attacks.

A vulnerability in this API allows an attacker to send specially crafted
requests resulting in arbitrary SQL execution. Depending on the content of
the requests this can lead to privilege escalation, arbitrary PHP execution,
or other attacks.

This vulnerability can be exploited by anonymous users.

- -------- CVE IDENTIFIER(S) ISSUED --------------------------------------------

   * CVE-2014-3704

- -------- VERSIONS AFFECTED ---------------------------------------------------

   * Drupal core 7.x versions prior to 7.32.

- -------- SOLUTION ------------------------------------------------------------

Install the latest version:

   * If you use Drupal 7.x, upgrade to Drupal core 7.32 [3].

If you are unable to update to Drupal 7.32 you can apply this patch [4] to
Drupal's database.inc file to fix the vulnerability until such time as you
are able to completely upgrade to Drupal 7.32.

Also see the Drupal core [5] project page.

- -------- REPORTED BY ---------------------------------------------------------

   * Stefan Horst

- -------- FIXED BY ------------------------------------------------------------

   * Stefan Horst
   * Greg Knaddison [6] of the Drupal Security Team
   * Lee Rowlands [7] of the Drupal Security Team
   * David Rothstein [8] of the Drupal Security Team
   * Klaus Purer [9] of the Drupal Security Team

- -------- COORDINATED BY
- ------------------------------------------------------

   * The Drupal Security Team [10]

- -------- CONTACT AND MORE INFORMATION ----------------------------------------

We've prepared a FAQ on this release. Read more at
https://www.drupal.org/node/2357241.

The Drupal security team can be reached at security at drupal.org or via the
contact form at
https://www.drupal.org/contact [11].

Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].


[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/drupal-7.32-release-notes
[4]
http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6bdb777f08&SA-CORE-2014-005
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/larowlan
[8] https://www.drupal.org/u/david_rothstein
[9] https://www.drupal.org/u/klausi
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVD8cdhLndAQH1ShLAQJZAg//bQZ613daFq36fWsM0ITCCrIRXYgf4l5R
otqItFyjkwTaSDoqBX/Cd+C8MU3CgdsPi6m+DNWCFQOoJPLqrAZhwXIDFoj3eVCH
JQNmiLeENFzFLf8Qo/NuAvKfZcmer24NT7Ntex7UpFlPCIuPfstDeB9h8i6yjnBH
6cfs7TY/xZv/MYDL/N1Qf/4fGcKpjSC+N7YR95KZl6VRBccaSxYDm3Yz+1luFsKv
wdjstrr7KfQfT/OI/2kUt/AC4uLW+wA1KyCovk8+2tfwB2kBvB5nRtmTpSEi0Gj9
ghL3FQ067Cts1NbTaAF8jYneO8kUZ+9M0V3PMZejqDeyTqMQYOOnpKr/9WDeDecy
zhuprLZzT9OWW5lTAuo6CTD6JTVGaOxarcBS27izXFap077MIyP1/H0y8U2tJ9Ld
8FbY1qgbuk7b8hN/HnVm5pH27T7hErAiX73DaCGeV/O/MvdtC5Cqi8LerRQXbEUB
3hQ11c5IjybHbAmEril2Lj9i7ayGb568TwXsDgaXRFucOVlMucf07Fjl3FN9l070
559F05LQMRlGiOU53ezKSEFTyOfqvCYwWJDt9xkglVS0A3xmSm2F8L5rE0ofXT8u
17+8F6TtvB7YNr8SEPcc8T6TvTT+ZObo+ARahc/XnpGLoVpZTfO9S9HPZRyipH2b
uxnpQg3fsGI=
=UsWt
-----END PGP SIGNATURE-----