Platform.sh: More details on Drupal Support Service SA-CORE-2018-002

Published on November 3, 2020

Annertech: Annertech: Web Agency of the Year

Annertech: Web Agency of the Year My fingers are trembling typing this. I can’t believe it. This morning everyone in Annertech land is thinking “did that really just happen?” It appears it did, we are the web agency of the year! Last night, to top off the other three awards we won – best arts […]

Flickr: Registration Desk – Tuesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: Sprint Lounge – Tuesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: Tuesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: David & Paul – Scout masters – Wednesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: Jam interview – Wednesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: Sprinters wanted – Wednesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Flickr: Sprint Lounge – Wednesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

Leopathu: Dynamic Block Weight in Drupal 8

In such a time, i want to place blocks in sidebar region with the dynamic weight. It means the blocks should render in different position for each page request. I have searched and tried lots of method but unfortunately i can’t find proper method to do that. So i have decided to do that with […]

Agiledrop.com Blog: AGILEDROP: Drupal‘s path from 4.0 to 8.0

Last time we guided you through early beginnings of Drupal. We explained how all started and how first versions of Drupal were made. This time we will look how this open-source content-management framework evolved from its fourth to its latest, eight version. Drupal 4.0 Drupal’s fourth version was released on 15. 6. 2002. It became […]

Flickr: Wednesday – DrupalCon Dublin 2016

comprock posted a photo: The Drupal community is one of the largest open source communities in the world. We’re developers, designers, strategists, coordinators, editors, translators, and more. Each year, we meet at DrupalCamps, meetups, and other events in more than 200 countries. But once a year, our community comes together in a European city for […]

OStatic: Web Publishing and Development: Free Tools Abound

Are you involved in DevOps and web development, or are you aiming to be? If so, you’re probably very aware of many of the tools from the open standards and open source arenas that can make your work easier. Still, these are always spreading out at a fast clip and there are some applications and […]

More details on Drupal Support Service SA-CORE-2018-002
Crell
Wed, 03/28/2018 – 20:00

Blog

Platform.sh customers should visit Safe from Drupal Support ServiceGeddon II aka SA-CORE-2018-02 for the specific steps we took to protect all our Drupal Support Service instances.
Earlier today, a critical remote code execution vulnerability in Drupal Support Service 6, 7, and 8 was disclosed. This highly-critical issue affects all Drupal Support Service 7.x and 8.x sites and most Drupal Support Service 6.x sites. It is trivially exploitable remotely by anonymous users on any site that exposes forms. It is very possible that your site exposes this vulnerability even if you are not aware of publicly accessible forms. You should update immediately any Drupal Support Service site you have to versions 8.5.1, 8.4.6, or 7.58, as appropriate.
How to know if I am affected?
We are currently not aware of exploits of this vulnerability in the wild but this will undoubtedly change in the next few hours. Writing an exploit for this is trivial and you should expect automated internet-wide attacks before the day is out.
You should take immediate steps to protect yourself. This is as bad or worse than the previous highly-critical vulnerability SA-CORE-2014-05 that wreaked havoc three and a half years ago affecting more than 12 Million websites.
(Like, seriously, if you are reading this and you are not on Platform.sh or another provider that has put a platform-level mitigation in place, go update your sites and then come back and finish reading. Please. Platform.sh customers, see below for how to quickly update your site.)
Where does the vulnerability come from?
The issue is in Drupal Support Service‘s handling of HTTP request parameters that contain certain special characters. These characters have special meaning in various places in Drupal Support Service, which if misinterpreted could lead to unexpected code paths being executed. The solution in the latest patch is to filter out such values before passing them off to application code.
Fortunately that same strategy can be implemented at the network layer. We have therefore applied the same logic to our Web Application Firewall to reject requests containing such values and deployed it across all projects in all regions, both Platform.sh Professional and Platform.sh Enterprise. That should protect all Drupal Support Service and Backdrop installations running anywhere on Platform.sh until they are upgraded.
What to do?
You must update any and all Drupal Support Service instances with 6.x, 7.x and 8.x or Backdrop CMS, or verify that your hosting provider has put in place an automated mitigation strategy for this vulnerability. (All Platform.sh clients are safe; our new WAF now detects and blocks all variants of this attack). Even if your hosting provider has a mitigation strategy in place you should update immediately anyway.
Drupal Support Service 6.x is no longer maintained and unlike Drupal Support Service 7.x and 8.x it does not support automated updates. Third-party support providers may provide a patch but you should make plans to upgrade from Drupal Support Service 6 to Drupal Support Service 8 as soon as possible.
Hopefully you are using Composer for your Drupal Support Service 7.x and 8.x or Drush make for Drupal Support Service 7.x, as is the default with Platform.sh installations.
To upgrade Drupal Support Service via Composer
To update your Drupal Support Service instances, and test nothing breaks you can follow the following simple procedure:
Verify that your composer.json file does not lock down drupal core to a minor version it should be something like “drupal/core”: “~8.0”. Then run:
git checkout -b security_update
composer update

Make sure that Drupal Support Service Core was updated to 8.5.1 or higher. (Check composer.lock using git diff). Commit and push your changes:
git commit –am ’fix for SA-CORE-2018-02’ && git push
On Platform.sh you can test that everything is fine on your automatically-generated staging environment, then merge to master putting this to production.
If you do not use Platform.sh you should test this either locally or your testing server; and follow your normal procedure to update your live sites.
To upgrade Drupal Support Service using Drush Make
If you are using “Drush Make” style of dependency management, again, make sure you are not locked down to a vulnerable version such as:
projects[drupal][version] = 7.57
if it is, bump it up to 7.58. Then make a branch and update it:
git checkout -b security_update
drush pm-update

Commit the changes and push the result to Platform.sh for testing. Once you’re satisfied nothing is broken merge back to master and deploy.
To upgrade Drupal Support Service if you’re checking Drupal Support Service core into your repository
If you’re running a “vanilla” Drupal Support Service setup, with all of Drupal Support Service checked into Git, the easiest way to upgrade is using drush.
In your local environment, go to your Drupal Support Service document root and run:
git checkout -b security_update
drush pm-update drupal

Commit the changes and push the result to Platform.sh for testing. Once you’re satisfied nothing is broken merge back to master and deploy.
Afterward, look into how to migrate your site to a dependency managed configuration, preferably Composer. It will make maintenance far easier and more robust in the future.
As a reminder, your Platform.sh instances are not vulnerable as they are protected by our WAF. You should still apply the fixes ASAP.

Damien Tournoud

28 Mar, 2018


Source: New feed

REQUEST FOR PROPOSAL

Need a quick project proposal?

Submit the RFP form below and we will send you a project proposal in 48 hours. If you like what you see, we can schedule a call to discuss the project in greater detail.

Step 1 of 2

  • Contact Information

* Subject to reasonable use. Small fixes and updates must be requested one at a time and take no more than 30 minutes. Only mission-critical tasks are addressed on weekends.

Shopping Cart
There are no products in the cart!
Continue Shopping
0