Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Wednesday, March 28, 2018

Patch. now.

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.The security team has written an FAQ about this issue.

Source: Drupal core -- Highly critical -- Remote Code Execution -- SA-CORE-2018-002 | Drupal.org

To emphasize the impact:

-- How difficult is it for the attacker to leverage the vulnerability? None (user visits page).
-- What privilege level is required for an exploit to be successful? None (all/anonymous users).
-- Does this vulnerability cause non-public data to be accessible? All non-public data is accessible.
-- Can this exploit allow system data (or data handled by the system) to be compromised? All data can be modified or deleted.
-- Does a known exploit exist? Theoretical or white-hat (no public exploit code or documentation on development exists)
-- What percentage of users are affected? Default or common module configurations are exploitable, but a config change can disable the exploit.

And additionally:

# How dangerous is this issue?

Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of SA-CORE-2018-002 is scored 21/25 ( Highly Critical)

# What could an attacker do on a vulnerable site?
A successful exploit of the vulnerability can have a dramatic impact on the site. See the description of the risk score for details..

# Is the issue being exploited?
To our knowledge the issue is not currently being exploited. We will update this FAQ if that changes. Given the nature of the vulnerability, site owners should anticipate that exploits may be developed and should therefore update their sites immediately.

Source: FAQ about SA-CORE-2018-002.

Don't take my word for it, but these are the patches (since the official site is now down):