Good morning Co-op Web Builder enthusiasts. We have an update about a recent high risk security notice that came directly from the Drupal community. A week ago, Drupal.org released information regarding a critical security risk present in all versions of the popular content management system. The initial posting came with a promise that a fix would be available one week later. Yesterday evening marked the day Drupal.org would release the full details of the security risk and provide a solution. Luckily, we got wind of the patches a little earlier than anticipated and got to work on your sites immediately.
We wanted you to know that our team was able to patch all Co-op Web Builder servers within an hour of the release. This includes all CWB 2, CWB 2.5 and CWB 3 sites.
The information below comes directly from the FAQ published by Drupal’s Security team. The link to the PSA (on Drupal.org) is at the very bottom of this article if you would like to read more about it.
As always, if you have any questions at all, please reach out to us at coopwebbuilder@nreca.coop any time you wish.
How many sites are likely affected?
Drupal 8, 7, and 6 sites are affected. According to the Drupal project usage information this represents over one million sites or about 9% of sites that are running a known CMS according to Builtwith.
How dangerous is this issue?
Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 ( Highly Critical)
What is the security threat's potential?
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
If you would like to read more about the recent PSA, you can do so at Drupal.org.