Drupal has released security updates of 8.5.x, and 8.6.x, along with some updates to contributed modules for 7.x/8.x, to fix a highly critical security vulnerability. At least one Drupal 6.x contributed module patch is also available.
A site is only affected by this if one of the following conditions is met:
- The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
- The site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).
If you are the owner or administrator of an affected Drupal website, please implement these updates immediately. If you cannot patch your affected site, it is recommended that you take it offline and contact security@ubc.ca for assistance.
Security Risk: Highly Critical
Action:
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for contributed projects after updating Drupal core.
- No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.
- No core update is required for Drupal 6, but at least one Drupal 6 contributed module requires an update from the unofficial Drupal 6 LTS team.
Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Drupal websites hosted by UBCIT Web Services
If your Drupal website is hosted by UBC IT Web Services, patches for affected systems running Drupal 8 and Drupal 7 are currently being applied and should be completed by 2:30pm today.
Drupal websites hosted on UBCIT Shared Web Hosting
If your Drupal website is hosted on UBC IT Shared Web Hosting, you are responsible for patching your Drupal install.
Additional Information
https://www.drupal.org/sa-core-2019-003
If you have any questions or require any assistance to patch or secure your sites, please email security@ubc.ca.