Number: AL18-003
Date: 29 March 2018
Purpose
The purpose of this alert is to bring attention to a recently disclosed highly critical remote code vulnerability (CVE-2018-7600) that exists in multiple subversions of Drupal 7.x, 8.x and 6.x.
Assessment
Drupal is an open source platform widely used for content management software across multiple organizations. CCIRC is not aware of exploit activity affecting organizations at this time.
Affected Versions:
- Drupal 6.x all versions
- Drupal 7.x versions prior to 7.58
- Drupal 8.x versions prior to 8.5.1
Certain subversions, such as 8.3.x and 8.4.x, are no longer supported, however, given the potential severity of this issue, Drupal has release fixes.
Suggested action
CCIRC recommends that owners/operators test and deploy the vendor released update or workaround to affected platforms accordingly.
References
https://www.drupal.org/sa-core-2018-002
https://groups.drupal.org/security/faq-2018-002