On October 29, 2014, Drupal.org posted a public service announcement on their website warning clients of a highly critical security risk. The posting stated that automated attacks were compromising all Drupal 7 websites that were not patched or updated to Drupal 7.32 before October 15, 2014 at 4:00 p.m. PT.
After careful analysis by our security operations team, we found no credible justification for the claim that systems would be compromised if not patched within the time frame indicated. However, to take extra precautions, we are compiling a list of Drupal server owners and advising these owners to take the following steps:
- If the Drupal server is not managed by UBC IT, patches should be applied immediately. The problem can be mitigated by upgrading to Drupal core 7.32 or by applying a database patch, SA-CORE-2014-005-D7. For Drupal services managed by UBC IT, the patch has already been installed.
- If you are concerned about potential exposure, send an email to email@example.com and the Security Centre Operations Response team will provide information on potential indicators of compromise and what to look for in your logs; additionally, they can assist server owners with examining their web application and server logs as required.
To be clear, despite the language used in the Drupal announcement, there is no evidence that UBC Drupal servers have been compromised. Nevertheless, we will continue to investigate to remain certain.
If you have any questions, please contact us at firstname.lastname@example.org.