-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0693
         Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001
                               16 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal
Publisher:         Drupal
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-6381 CVE-2017-6379 CVE-2017-6377

Original Bulletin: 
   https://www.drupal.org/SA-2017-001

- --------------------------BEGIN INCLUDED TEXT--------------------

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

Posted by Drupal Security Team on March 15, 2017 at 7:24pm

Drupal 8.2.7, a maintenance release which contains fixes for security 
vulnerabilities, is now available for download.

Download Drupal 8.2.7

Upgrading your existing Drupal 8 sites is strongly recommended. There are no 
new features nor non-security-related bug fixes in this release. See the 8.2.7
release notes for details on important changes and known issues affecting this
release. Read on for details of the security vulnerabilities that were fixed 
in this release.

    Advisory ID: DRUPAL-SA-CORE-2017-001
    Project: Drupal core
    Version: 8.x
    Date: 2017-March-15

Description

Editor module incorrectly checks access to inline private files - Drupal 8 - 
Access Bypass - Critical - CVE-2017-6377

When adding a private file via a configured text editor (like CKEditor), the 
editor will not correctly check access for the file being attached, resulting
in an access bypass.

Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site
Request Forgery - Moderately Critical - CVE-2017-6379

Some administrative paths did not include protection for CSRF. This would 
allow an attacker to disable some blocks on a site. This issue is mitigated by
the fact that users would have to know the block ID.

Remote code execution - Drupal 8 - Remote code execution - Moderately Critical
- - CVE-2017-6381

A 3rd party development library including with Drupal 8 development 
dependencies is vulnerable to remote code execution.

This is mitigated by the default .htaccess protection against PHP execution, 
and the fact that Composer development dependencies aren't normal installed.

You might be vulnerable to this if you are running a version of Drupal before
8.2.2. To be sure you arent vulnerable, you can remove the /vendor/phpunit 
directory from the site root of your production deployments.

Solution

Upgrade to Drupal 8.2.7

Reported by

Editor module incorrectly checks access to inline private files - Drupal 8 - 
Access Bypass - Critical - CVE-2017-6377

    Casey

Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site
Request Forgery - Moderately Critical - CVE-2017-6379

    Samuel Mortenson

Remote code execution - Drupal 8 - Remote code execution - Moderately Critical
- - CVE-2017-6381

    Timo Hilsdorf

Fixed by

Editor module incorrectly checks access to inline private files - Drupal 8 - 
Access Bypass - Critical - CVE-2017-6377

    Laszlo Csecsy
    Wim Leers
    Alex Pott of the Drupal Security Team
    Klaus Purer of the Drupal Security Team

Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site
Request Forgery - Moderately Critical - CVE-2017-6379

    Samuel Mortenson
    Sascha Grossenbacher

Remote code execution - Drupal 8 - Remote code execution -Moderately Critical
- - CVE-2017-6381

    Klaus Purer Of the Drupal Security Team
    Mixologic

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the 
contact form at https://www.drupal.org/contact.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWMnj0Ix+lLeg9Ub1AQgTKQ/8DWQZJ1Ljqsz/75EgGDcm2vBwGKauPppU
WFwghPwM/AXgIfUaYX3+arMmiZaamtXuc1efFqO/HZnlA3258bqXpHDemVM29W2P
h1QNIXdXw4hgtIWUye2/j3NGYazcESfQ1N2ZsKUsmdLmMnuFplyhfvd+DHZVEKI2
VVAEGnQD0+a8xR1kerthxIacCxMtbPSRxmM3XYVxD7BzIcX4/JSn5l1qg6+ABRwZ
UmOVFv8wA7pSSn9kMwmIvpMT6rBwyXe6Ufqs+whQqyl4K0XMcquWYTpatumDbHiE
ZrD/WEkzHtjVC0cpXn3y9kTdiFonPJSZ0wF3Th41cZa/Qm7Y1L19w12b+gvavwVB
nNrs+TGzqgUZxomdzkorbOtNq/gvm7MvHjFRCgzUkpWitn0BqiF0couVtfjkwpBE
yPpxyoZvcL/1jBs2s6hQzZWKMZhjr5PMTF10K42MI3u6G1tw/tZEQ3/5AMAmsOHG
ZZaQc5es8R3Ye5uMcKja4TWLr4jJUETGt8Vw1v54aVteGKakL00rPQX6IaRS+gIP
rpcgs149Qb0XkDw9fDMFRFdsILvsUzdWatQc6FP052YGIwSPu0rAIt4H7YtUGjeM
IENDfJ+0u3ZgIIgyx52txYOzpe6DV2Qi28cxVbjdumz3H9aTeKgeR20YEZss5V18
D7yg5fNSEeo=
=cY4y
-----END PGP SIGNATURE-----