Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0693 Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 16 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-6381 CVE-2017-6379 CVE-2017-6377 Original Bulletin: https://www.drupal.org/SA-2017-001 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001 Posted by Drupal Security Team on March 15, 2017 at 7:24pm Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download. Download Drupal 8.2.7 Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release. Advisory ID: DRUPAL-SA-CORE-2017-001 Project: Drupal core Version: 8.x Date: 2017-March-15 Description Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass. Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Some administrative paths did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - - CVE-2017-6381 A 3rd party development library including with Drupal 8 development dependencies is vulnerable to remote code execution. This is mitigated by the default .htaccess protection against PHP execution, and the fact that Composer development dependencies aren't normal installed. You might be vulnerable to this if you are running a version of Drupal before 8.2.2. To be sure you arent vulnerable, you can remove the /vendor/phpunit directory from the site root of your production deployments. Solution Upgrade to Drupal 8.2.7 Reported by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Casey Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Samuel Mortenson Remote code execution - Drupal 8 - Remote code execution - Moderately Critical - - CVE-2017-6381 Timo Hilsdorf Fixed by Editor module incorrectly checks access to inline private files - Drupal 8 - Access Bypass - Critical - CVE-2017-6377 Laszlo Csecsy Wim Leers Alex Pott of the Drupal Security Team Klaus Purer of the Drupal Security Team Some admin paths were not protected with a CSRF token - Drupal 8 - Cross Site Request Forgery - Moderately Critical - CVE-2017-6379 Samuel Mortenson Sascha Grossenbacher Remote code execution - Drupal 8 - Remote code execution -Moderately Critical - - CVE-2017-6381 Klaus Purer Of the Drupal Security Team Mixologic Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWMnj0Ix+lLeg9Ub1AQgTKQ/8DWQZJ1Ljqsz/75EgGDcm2vBwGKauPppU WFwghPwM/AXgIfUaYX3+arMmiZaamtXuc1efFqO/HZnlA3258bqXpHDemVM29W2P h1QNIXdXw4hgtIWUye2/j3NGYazcESfQ1N2ZsKUsmdLmMnuFplyhfvd+DHZVEKI2 VVAEGnQD0+a8xR1kerthxIacCxMtbPSRxmM3XYVxD7BzIcX4/JSn5l1qg6+ABRwZ UmOVFv8wA7pSSn9kMwmIvpMT6rBwyXe6Ufqs+whQqyl4K0XMcquWYTpatumDbHiE ZrD/WEkzHtjVC0cpXn3y9kTdiFonPJSZ0wF3Th41cZa/Qm7Y1L19w12b+gvavwVB nNrs+TGzqgUZxomdzkorbOtNq/gvm7MvHjFRCgzUkpWitn0BqiF0couVtfjkwpBE yPpxyoZvcL/1jBs2s6hQzZWKMZhjr5PMTF10K42MI3u6G1tw/tZEQ3/5AMAmsOHG ZZaQc5es8R3Ye5uMcKja4TWLr4jJUETGt8Vw1v54aVteGKakL00rPQX6IaRS+gIP rpcgs149Qb0XkDw9fDMFRFdsILvsUzdWatQc6FP052YGIwSPu0rAIt4H7YtUGjeM IENDfJ+0u3ZgIIgyx52txYOzpe6DV2Qi28cxVbjdumz3H9aTeKgeR20YEZss5V18 D7yg5fNSEeo= =cY4y -----END PGP SIGNATURE-----