Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Alert - Drupal Security Vulnerability

Number: AL18-003
Date: 29 March 2018

Purpose

The purpose of this alert is to bring attention to a recently disclosed highly critical remote code vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (CVE-2018-7600) that exists in multiple subversions of Drupal 7.x, 8.x and 6.x.

Assessment

Drupal is an open source platform widely used for content management software across multiple organizations.  CCIRC is not aware of exploit activity affecting organizations at this time.

Affected Versions:

  • Drupal 6.x all versions
  • Drupal 7.x versions prior to 7.58
  • Drupal 8.x versions prior to 8.5.1

Certain subversions, such as 8.3.x and 8.4.x, are no longer supported, however, given the potential severity of this issue, Drupal has release fixes.

Suggested action

CCIRC recommends that owners/operators test and deploy the vendor released update or workaround to affected platforms accordingly.

References

https://www.drupal.org/sa-core-2018-002
https://groups.drupal.org/security/faq-2018-002

Date modified: