Drupal Security Advisories for Critical Vulnerabilities in Drupal Core

Earlier today, Drupal announced the availability of two advisories, SA-CORE-2019-001 [1] and SA-CORE-2019-002 [2] to address critical vulnerabilities in Drupal core.

The first is CVE-2018-1000888[3], a vulnerability within PEAR Archive_Tar, a third-party library that is part of Drupal core. The availability of a security update for this library resulted in the publication of patches for Drupal and this advisory. There is a proof-of-concept available for this vulnerability, however, it is not custom tailored to target Drupal and the configurations that could be affected by it are uncommon.

The second is a remote code execution vulnerability within the phar stream wrapper [4] that is part of PHP. According to the advisory, this vulnerability was patched as a result of possible exposure due to the way some Drupal code “may be performing file operations on insufficiently validated user input.” However, the impact of this vulnerability is mitigated as a result of the required permissions (administrative) needed to exploit it.

Drupal advises users upgrade to Drupal 8.6.6 [5], Drupal 8.5.9 [6] and Drupal 7.62 [7].

A list of Nessus plugins to identify these vulnerabilities will appear here as they’re released.

References:

[1] https://www.drupal.org/sa-core-2019-001

[2] https://www.drupal.org/sa-core-2019-002

[3] https://nvd.nist.gov/vuln/detail/CVE-2018-1000888

[4] http://php.net/manual/en/phar.using.stream.php

[5] https://www.drupal.org/project/drupal/releases/8.6.6

[6] https://www.drupal.org/project/drupal/releases/8.5.9

[7] https://www.drupal.org/project/drupal/releases/7.62