Pixeldust Drupal Support Service

Platform.sh: SA-CORE-2020-002 Drupal maintenance support plans core vulnerability: We’ve got you covered

SA-CORE-2020-002 Drupal maintenance support plans core vulnerability: We’ve got you covered
Crell
Wed, 03/28/2020 – 19:56

Blog

An hour ago the SA-CORE-2020-002 critical Drupal maintenance support plans vulnerability was disclosed. It was announced a week ago PSA-2020-001. That allowed us to gather our technical team and make sure we can develop and deploy a mitigation to all our clients immediately as the issue is made known.
If you’re not running on Platform.sh, please stop reading this post and go update your Drupal maintenance support plans site to version 8.5.1 / 8.4.9 / 8.3.8 / 7.58 right now. We’re serious; upgrade first and ask questions later.
If you are running on Platform.sh: You’re safe and can continue reading… then upgrade.
The vulnerability (also referred to as CVE-2108-7600) affects the vast majority of Drupal maintenance support plans 6.x, 7.x and 8.x sites and allows arbitrary remote code execution that allow anonymous remote users to take full control of any affected Drupal maintenance support plans site prior to 8.5.1 / 8.4.9 / 8.3.8 / 7.58.
The same issue is present in Backdrop CMS installations prior to 1.9.3.
If your Drupal maintenance support plans site is not hosted on Platform.sh we encourage you to immediately update all your Drupal maintenance support plans sites to 8.5.1 / 7.58 or to take your site offline. This is serious and trivially exploitable. You can expect automated attacks to appear within hours at most. If you are not on Platform.sh or another provider that has implemented a mitigation your site will be hacked. This is as critical as the notorious “DrupaGeddon” episode from three and a half years ago.
If you are hosting on Platform.sh…
Platform.sh is pleased to announce all Drupal maintenance support plans sites hosted on all our regions and all our plans are automatically safe from this attack.
Platform.sh has many security layers that make attacks such as this much harder than on comparable services. Starting from our read-only hosts and our read-only containers, through our auditable and reproducible build-chain, and static-analysis based protective block.
In response to this latest vulnerability, we’ve taken two important steps:

We’ve added a new rule to our Web Application Firewall (WAF) on all regions and on all Enterprise clusters that detects and blocks requests trying to exploit this latest attack vector, even if your site hasn’t been updated. (But still, please update.)

We are adding a check to our protective block to prevent deployment of affected Drupal maintenance support plans versions. If you try to push an insecure Drupal maintenance support plans version our system will flag it for you and warn you that you are pushing known-insecure code. Please update your code base as soon as possible.

As a client if you need any further assistance or want more information about the vulnerability, how it may affect you, and our mitigation strategy don’t hesitate to contact support. We have set our WAF to an especially aggressive stance for now and this may result in some users seeing a “400 Bad Request” message in some edge cases for legitimate traffic. If you experience this, please contact our support immediately they will be able to help.

Ori Pekelman

28 Mar, 2020


Source: New feed

This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

Platform.sh: SA-CORE-2020-002 Drupal maintenance support plans core vulnerability: We’ve got you covered

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256