Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | Drupal.org

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | Drupal.org
Skip to search
Can we use first and third party cookies and web beacons to
understand our audience, and to tailor promotions you see
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Project:
Drupal core
Date:
2018-March-28
Security risk:
Highly critical
24 ∕ 25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default
Vulnerability:
Remote Code Execution
Affected versions:
>=7.0 <7.58 || >= 8.0.0 <8.3.9 || >=8.4.0 <8.4.6 || >=8.5.0 <8.5.1
CVE IDs:
CVE-2018-7600
Description:
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an
FAQ
about this issue.
Edited 2020, February 13 to fix links to patch files.
Solution:
Upgrade to the most recent version of Drupal 7 or 8 core.
If you are running 7.x, upgrade to
Drupal 7.58
(If you are unable to update immediately, you can attempt to apply
this patch
to fix the vulnerability until such time as you are able to completely update.)
If you are running 8.5.x, upgrade to
Drupal 8.5.1
(If you are unable to update immediately, you can attempt to apply
this patch
to fix the vulnerability until such time as you are able to completely update.)
Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for
unsupported minor releases
. However, given the potential severity of this issue, we
are
providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
If you are running 8.3.x, upgrade to
Drupal 8.3.9
or apply
this patch
If you are running 8.4.x, upgrade to
Drupal 8.4.6
or apply
this patch
This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a
D6LTS vendor
Reported By:
Jasper Mattsson
Fixed By:
Jasper Mattsson
Samuel Mortenson
Provisional Drupal Security Team member
David Rothstein
of the Drupal Security Team
Jess (xjm)
of the Drupal Security Team
Michael Hess
of the Drupal Security Team
Lee Rowlands
of the Drupal Security Team
Peter Wolanin
of the Drupal Security Team
Alex Pott
of the Drupal Security Team
David Snopek
of the Drupal Security Team
Pere Orga
of the Drupal Security Team
Neil Drumm
of the Drupal Security Team
Cash Williams
of the Drupal Security Team
Daniel Wehner
Tim Plunkett
Contact and more information
The Drupal security team can be reached by email at security at drupal.org or via the contact form.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Contribution record
Contact and more information
The Drupal security team can be reached by email at security at drupal.org or
via the contact form
Learn more about
the Drupal Security team and their policies
writing secure code for Drupal
, and
securing your site
Follow the Drupal Security Team on
Bluesky
, or
Mastodon
or
Contributing organizations for this advisory
Thunder
Acquia
Chapter Three (acquired by Kanopi Studios)
Drupal Association
myDropWizard
PreviousNext
SciShield
The security team is made up of volunteers around the world. The companies above have sponsored time on this release.
Infrastructure management for Drupal.org provided by
Need a Drupal 7 extended support partner? Consider Tag1.
News items
News
Planet Drupal
Social media
Sign up for Drupal news
Security advisories
Jobs
Our community
Community
Services
Training
Hosting
Contributor guide
Groups & meetups
DrupalCon
Code of conduct
Documentation
Documentation
Drupal Guide
Drupal User Guide
Developer docs
API.Drupal.org
Drupal code base
Download & Extend
Drupal core
Modules
Themes
Distributions
Governance of community
About
Web accessibility
Drupal Association
About Drupal.org
Drupal is a
registered trademark
of
Dries Buytaert