Upcoming Drupal 7 and 8 Patches Address Highly Critical Security Vulnerability – March 28th, 2018 10:00am

Drupal has announced that they will be releasing security updates of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018 between 10:00am – 11:30am PST that will fix a highly critical security vulnerability.

If you are the owner or administrator of a Drupal website, the Drupal Security Team urges you to reserve time for core updates during this time. Exploits may be developed within hours or days.

Security release announcements will appear on the Drupal.org security advisory page.

Security Risk: Critical

Action:

  1. As soon as the patches are released on March 28, 2018, update your installation of Drupal to the patched version.
  2. Depending on the nature of the vulnerability, if you are running a version that cannot be patched, you may need to consider taking your site offline until the vulnerability can be remediated.

Drupal websites hosted by UBCIT Web Services

If your Drupal website is hosted by UBC IT Web Services, this patch will be assessed and addressed once it is available.

Drupal websites hosted on UBCIT Shared Web Hosting

If your Drupal website is hosted on UBC IT Shared Web Hosting, you are responsible for patching your Drupal install.  If you require assistance, please contact security@ubc.ca.

If you have a Drupal 6 website

Those managing Drupal 6 sites are recommended to back their site up immediately, and be prepared to take their site offline tomorrow depending on how critical the announced vulnerability is.  If this is not feasible for business purposes, please email security@ubc.ca to discuss mitigation strategies immediately.

  • take a full backup of your site and DB in its current state so you have a known good copy to revert to
  • if your site doesn’t need to be internet accessible, lock it down to an on-campus IP address range via .htaccess or firewall
  • if your site doesn’t need to be publically accessible, use a .htaccess htpasswd at the root of your site, and circulate that password to your user community while you work on a proper solution
  • if your site doesn’t need to be fully dynamic, export all of your pages as static code, make that your public site, and move your actual Drupal instance to a non-public IP space, or htaccess password protected URL.  See hxxps://www.drupal.org/node/27882 for more information

 

Websites not hosted by UBC IT Web Services or Shared Web Hosting

If you manage your own Drupal instance, please send an email to security@ubc.ca and indicate your action plan as one of the following:

  • You or your staff are patching
  • You are engaging with a third party to patch
  • You require our assistance with patching
  • The instance cannot be patched for technical reasons
  • The instance is no longer used, and can be permanently removed

In addition, please indicate:

  • Technical contact for the instance, if it is not you
  • Business impact if the instance were to be taken down [Low/Medium/High]
  • What an acceptable downtime would be
  • The best way to contact you for follow-up

Additional Information

https://www.drupal.org/psa-2018-001

If you have any questions, please contact security@ubc.ca