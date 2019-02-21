Log in
E-mail
Password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
Settings
Settings
Dynamic quotes 
OFFON

MarketScreener Homepage  >  News  >  Companies  >  All News

News : Companies
Latest NewsCompaniesMarketsEconomy & ForexCommoditiesInterest RatesBusiness LeadersFinance ProfessionalsCalendarSectors
All News
Analyst Recommendations
Rumors
IPOs
Capital Markets Transactions
New Contracts
Profits warnings
Appointments
Press Releases
Events
Corporate actions

Drupal Core Remote Code Execution (CVE-2019-6340): What You Need to Know

share with twitter share with LinkedIn share with facebook
share via e-mail
0
02/21/2019 | 05:50pm EST

What do I need to know about the Drupal remote code execution vulnerability?

On Wednesday, Feb. 20, 2019, the Drupal Core team provided an early-warning update for the third Drupal Core Security Alert of 2019, which has been assigned CVE-2019-6340.

The vulnerability lies in the lack of field sanitization from non-form sources, which can result in arbitrary remote code execution on the Drupal server. The Drupal Core team has identified a certain set of conditions necessary for a successful exploit:

  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows or requests, or;
  • The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7.

They further indicate that 'The Drupal 7 Services module itself does not require an update at this time, but you should still apply other contributed updates associated with this advisory if Services is in use.'

NOTE: If you are running a version of Drupal older than 8.5.x, you must upgrade to 8.5.11 or 8.6.10 to fix this vulnerability.

What can I do to secure my Drupal servers from CVE-2019-6340?

The Drupal Core team advises that:

  • If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
  • If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.

They further indicate that Drupal site owners should make sure to install any available security updates for contributed projects after updating Drupal core. No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates.

A super-quick remediation is to disable all web services modules, or configure your web server(s) to not allow , , or requests to web services resources.

Is this vulnerability present in your environment? Find out with a free InsightVM scan.

Get Started

How big is the attack surface?

Rapid7 Labs' Jon Hart crafted Sonar HTTP studies of the Alexa Top 1m looking for both Drupal headers and the presence of to help identify the scope of the issue on the internet's top sites. Unsurprisingly, the versions are all over the place, but when summarized at the main version (4-8), most identified sites seem to be running version 7.

Remember, this uses headers and an exposed file, so there could be more sites running Drupal in the Alexa Top 1m than identified here.

When we loosen the search to all likely Drupal nodes in Project Sonar ports 80 and 443 studies from earlier in February, we find over 80,000 servers scattered across the internet.

Rapid7 Labs has not seen any Drupal-related // activity since the release of the patch.

Is there InsightVM coverage?

We will be releasing a vulnerability check in our vulnerability management solution, InsightVM, for CVE-2019-6340 in the Thursday, Feb. 21, 2019 VM content release.

Is this vulnerability present in your environment? Find out with a free InsightVM scan.

Get Started

Image source: Ixis IT / Flickr

Disclaimer

Rapid7 Inc. published this content on 21 February 2019 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 21 February 2019 22:49:02 UTC
share with twitter share with LinkedIn share with facebook
share via e-mail
0
Latest news "Companies"
06:20pSTATEMENT OF CHANGES IN BENEFICIAL OWNERSHIP REPORTED BY : Simon john r
PU
06:20pSTATEMENT OF CHANGES IN BENEFICIAL OWNERSHIP REPORTED BY : Thomason david s.
PU
06:19pDIAMOND HILL INVESTMENT GROUP : 4Q Earnings Snapshot
AQ
06:19pBLUEBIRD : 4Q Earnings Snapshot
AQ
06:18pWESDOME GOLD MINES : Announces 2018 Fourth Quarter and Full Year Financial Results
AQ
06:18pENERFLEX : Announces Record Bookings and Backlog with Fourth Quarter 2018 Financial Results and Quarterly Dividend
AQ
06:17pCHESAPEAKE LODGING : 4Q Earnings Snapshot
AQ
06:17pNEW YORK MORTGAGE TRUST : 4Q Earnings Snapshot
AQ
06:16pSNC LAVALIN : Three instances when SNC-case was discussed with Wilson-Raybould, clerk says
AQ
06:16pRosen Law Firm Announces Filing of Securities Class Action Lawsuit Against Arlo Technologies, Inc. – ARLO
BU
Latest news "Companies"
Advertisement

MOST READ NEWS

1ENGENCO LTD : ENGENCO : Investor Presentation - February 2019
2ATLANTIC PETROLEUM P/F : ATLANTIC PETROLEUM P/F : Danish Business Authority.
3GERMAN AMERICAN BANCORP., INC. : German American Bancorp, Inc. and Citizens First Corporation Announce Definit..
4BLUE DANUBE SYSTEMS : Coherent Massive MIMO Delivers Industry's Highest Capacity Gains in Multiple Commerci..
5WAYLAND GROUP CORP : WAYLAND : Announces Changes to the Board of Directors

HOT NEWS
logo marketscreener.com
MarketScreener.com :
About :
Stay Connected :
Partners :
Copyright © 2019 Surperformance. All rights reserved.