Keep calm and... update to the latest versions of Drupal 7 and Drupal 8, respectively to Drupal 7.56 and Drupal 8.3.4! The 2 Drupal security updates, released into the wild on the 21st of June, come to address certain (3, to be more specific) security vulnerabilities in Drupal core. So, it would be a reckless thing to do to just ignore all the work the security team has done and to leave your website (or your clients') “exposed” to brutal attacks, right? Now let's have a close look at both the “detected” vulnerabilities and their 2 patches:
Which Drupal Sites Are Most Vulnerable to These Security Issues?
A more than valid question, since certain conditions should be met for a given Drupal site to be more “prone to” attacks:
- the RESTful Web Services module would “have to” be enabled
- a potential attacker would have to be able to easily get registered, as a user, on that specific Drupal site, and to be granted permission to upload files, as well
Once these two conditions are met, the given Drupal site can easily turn into an easy target for any attacker willing to compromise its code, to apply changes to its file resource at his/her own will.
The 3 Vulnerabilities That These 2 Drupal Security Updates Address
1. Critical Security Issue: The PECL YAML parser's unsafe way of handling PHP objects
That's right, in Drupal 8 the PECL YAML parser could easily turn into an opportunity for attackers to remotely infect a site's code. And this due to the fact that it didn't (or “doesn't”, if you haven't yet run the security update) handle PHP objects safely as certain procedures were being carried out in Drupal core.
2. Less Critical Security Issue: A REST Resource bug, leading to improper field validation
As already mentioned, attackers' easiest “victims” are precisely those Drupal websites with the REST Web Services module enabled.
Why? Because the Drupal security team discovered that the file REST resource did not always manipulate fields the right way. There are instances when, as files get manipulated, fields don't get validated properly!
3. Moderately Critical Security Issue: Private Files Are Accessible to Multiple Anonymous Users
And, as you can just guess it yourself, this issue meant a big “crack” into Drupal's shield against cyberattacks.
Practically, an anonymous user, with permission to upload private files on a given Drupal site, “risks” to have those uploaded files accessed by any other anonymous user.
Once uploaded, he has no “exclusivity” and unlimited control over them, nor can he prevent that another registered visitors access them and modify them.
Well, by running this update, applying to both Drupal 7 and Drupal 8, you'll be fixing this dangerous access bypass vulnerability.
In short: time to update! If you own or you administer websites running on Drupal versions older than 7.56 and 8.3.4, why should you take any risks?
Especially when there's an entire Drupal security team who's been working to “diagnose” these vulnerabilities, then to put a whole lot of effort in order to release the right patches for them. Why shouldn't you just leverage the results of their work: these 2 new Drupal security updates?
Underestimating security issues in today's digital landscape is pretty much like driving blindfolded, defying the inevitable!