{"id":3088,"date":"2017-06-27T13:40:15","date_gmt":"2017-06-27T20:40:15","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3088"},"modified":"2019-08-19T13:41:55","modified_gmt":"2019-08-19T20:41:55","slug":"three-drupal-updates-patch-critical-vulnerabilities","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/three-drupal-updates-patch-critical-vulnerabilities\/","title":{"rendered":"Three Drupal Updates Patch Critical Vulnerabilities"},"content":{"rendered":"<h5 class=\"et_pb_toggle_title\">\u00a0Three Drupal updates patch critical vulnerabilities<\/h5>\n<div class=\"et_pb_toggle_content clearfix\">\n<div>\n<p><strong>Issue<\/strong><br \/>\nOne of the three critical vulnerabilities patched last week in the Drupal web content management system allows for remote code execution.<\/p>\n<p><strong>Impact<\/strong><br \/>\nDrupal is one of the most popular content management systems in use, and the vulnerability described in\u00a0CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.<br \/>\nThis vulnerability is in the PECL YAML parser and is related to a bug found recently in PHP. \u00a0PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not \u201cfix\u201d the vulnerability.<br \/>\nDrupal updated their code, changing the way they pass input to the affected functions and is no longer vulnerable to this attack vector.<br \/>\nYAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.<\/p>\n<p><strong>Recommendations<\/strong><br \/>\nRecent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.<\/p>\n<\/div>\n<ul>\n<li><em>Tactical recommendation<\/em>: If your organization\u00a0has deployed Drupal, update to Drupal 8.3.4 or\u00a0Drupal 7.56, as both branches include the fixes for these vulnerabilities.<\/li>\n<li><em>Strategic recommendation<\/em><strong>:<\/strong> Consider using a static publishing script to separate your editing\/publishing platform from your delivery system. This allows your team to reap the benefits of a\u00a0content management system, and couples it with the security of a static site. WordPress, Drupal, and other popular systems have static publishing plugins or scripts.<\/li>\n<\/ul>\n<div><strong>Additional Resources<\/strong><br \/>\nDrupal update:<\/div>\n<ul>\n<li><a href=\"https:\/\/www.drupal.org\/SA-CORE-2017-003\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.drupal.org\/SA-CORE-2017-003<\/a><\/li>\n<\/ul>\n<div>CVE Entries for the three Drupal vulnerabilities:<\/div>\n<ul>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-6920\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2017-6920<\/a><\/li>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-6921\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2017-6921<\/a><\/li>\n<li><a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-6922\" target=\"_blank\" rel=\"noopener noreferrer\">CVE-2017-6922<\/a><\/li>\n<\/ul>\n<div>Example static publishing plugins:<\/div>\n<ul>\n<li><a href=\"https:\/\/www.drupal.org\/project\/static\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.drupal.org\/project\/static<\/a><\/li>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/simply-static\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/wordpress.org\/plugins\/simply-static\/<\/a><\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0Three Drupal updates patch critical vulnerabilities Issue One of the three critical vulnerabilities patched last week in the Drupal web content management system allows for remote code execution. Impact Drupal is one of the most popular content management systems in use, and the vulnerability described in\u00a0CVE-2017-6920 gives an attacker the same capabilities on the system [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3088"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088\/revisions"}],"predecessor-version":[{"id":3089,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3088\/revisions\/3089"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}