Open-source CMS Drupal has advised users to upgrade to the latest version of Drupal 7 and 8 to prevent a bug from affecting sites using the content management software.
“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,” the organization said in a security advisory last March 28.
1M Sites at Risk of an Attack
TechCrunch reported that more than one million websites use the affected Drupal versions.
Drupal said the bug also affects version 6, but the edition is “End of Life,” and “given the potential severity of the issue,” the organization said it released a security patch for it as well as for older versions.
Drupal, however, noted that they had, not received reports of attacks on sites using the organization’s CMS but experts fear that exploits may happen anytime.
Drupalgeddon
Cyberscoop said the bug was discovered by Jasper Mattsson, who works for Drupal security auditing firm Druid.
The bug’s official name is CVE-2018-7600 but Cyberscoop said users of the CMS went on Twitter and called it Drupalgeddon2.
Drupalgeddon2 comes three years after the first bug appeared in 2014, prompting Drupal to issue a security patch to ward it off.
Freelance journalist Kim Zetter, however, reported in 2017 that years after a patch was available for Drupalgeddon, an election security center in Georgia was attacked through the bug.
Alert
TechCrunch recalled that Drupal sent out a notice on March 21 that the organization would roll out a “highly-critical release” Wednesday last week.
Recommended for You
Webcast, April 18th: How to Use Tools to Maximize Your Influencer Marketing ROI
The site said Drupal’s announcement was “unusual, and left developers on high alert for the targeted time frame of the release.”
Drupal’s security team urged developers “to reserve time for core updates at that time because exploits might be developed within hours or days.”
Solutions
Meanwhile, Drupal told developers in its security advisory that:
Those running 7.x must upgrade to Drupal 7.58.
Those running 8.5.x should upgrade to Drupal 8.5.1.
For those running 8.3.x, upgrade to Drupal 8.3.9.
If you are running 8.4.x, upgrade to Drupal 8.4.6.
“This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release,” Drupal said.
What’s Next?
Drupal revealed that a “highly-critical bug” had left more than one million sites using the organization’s CMS vulnerable to an attack.
What can you say about it? Share your thoughts by commenting below.