Today Web Content Management system vendor, Drupal has issued advanced notice of an upcoming security advisory containing “highly critical” vulnerabilities that have been fixed in newer versions of Drupal 7 and 8.
“There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.” -Drupal, PSA-2018-001
Drupal has stated that no details or further information can be provided until the security patch release is made available on March 28th, however security industry experts commented on the tone of the announcement saying they have not read such an apocalyptic announcement from Drupal in over 9 years.
Recommendations
Mitigation:
- There are no work-around available for this issue.
- Implement network protections and patches for environments as they become available.
- Plan, schedule and implement security patches to affected platforms
- Users and administrators should review the agency and Vendor bulletins and apply the necessary updates.
- Additionally, the following technologies should be leveraged to implement these mitigations:
- Antivirus & Endpoint Security Software
- Firewall application sandboxing
- File Integrity Monitoring software
- Intrusion Detection & Protection Systems (IDS/IPS)
- Web Application Firewalls (WAF)
Urgent Security Bulletins
- Drupal Public Service Announcement – PSA-2018-001 https://www.drupal.org/psa-2018-001