View online: https://www.drupal.org/sa-contrib-2019-030
Project: Facets [1]
Version: 8.x-1.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Description:
This module enables you to create facet-filters for results of a search query
and exposes them as blocks
The module doesn't sufficiently escape HTML under the scenario leading to a
Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by two factors. First, an attacker must have
a way to insert results in the dataset that is exposed as a facet before this
can happen. The permission to inject malicious strings depends on the site's
search configuration but could be available to any user who can create
content in a site. Second, the site must be using the Javascript-based
dropdown widget.
Solution:
* Install the latest version Facets 8.x-1.3 [3]
An effective mitigation is to change the widget to use links instead of the
dropdown widget.
Reported By:
* Ide Braakman [4]
Fixed By:
* Jimmy Henderickx [5]
* Joris Vercammen [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/facets
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/facets/releases/8.x-1.3
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/462700
[6] https://www.drupal.org/user/2393360
[7] https://www.drupal.org/user/36762
View online: https://www.drupal.org/sa-contrib-2019-026
Project: Services [1]
Version: 7.x-3.x-dev
Date: 2019-February-27
Security risk: *Critical* 19∕25
AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: SQL Injection
Description:
This module provides a standardized solution for building API's so that
external clients can communicate with Drupal.
The module doesn't sufficiently sanitize user input for entity index
resources thus allowing SQL Injection attacks.
This vulnerability is mitigated by the fact that the Drupal 7 site must have
an "index" resource(s) enabled under the Services endpoint configuration
(admin/structure/services/list/MY-ENDPOINT/resources) and an attacker must
know the endpoint's machine name.
Install the 7.x-3.22 [3] version of the Services module for the fix, or
simply disable any "index" resources to stop the attack vector.
Solution:
Install the latest version:
* If you use the 7.x-3.x Services module for Drupal, upgrade to Services
7.x-3.22 [4]
Reported By:
* Samuel Mortenson [5] of the Drupal Security Team
Fixed By:
* Tyler Frankenstein [6]
* Samuel Mortenson [7] of the Drupal Security Team
* Ivo Van Geertruyen [8] of the Drupal Security Team
Coordinated By:
* Samuel Mortenson [9] of the Drupal Security Team
[1] https://www.drupal.org/project/services
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/services/releases/7.x-3.22
[4] https://www.drupal.org/project/services/releases/7.x-3.22
[5] https://www.drupal.org/user/2582268
[6] https://www.drupal.org/user/150680
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/383424
[9] https://www.drupal.org/user/2582268
View online: https://www.drupal.org/psa-2019-02-25
Date: 2019-February-25
Vulnerability: Drupal 7 will reach end-of-life in November of 2021
Description:
Drupal 7 was first released in January 2011. In November 2021, after over a
decade, Drupal 7 will reach end of life (EOL). (More information on why this
date was chosen [1].) Official community support for version 7 will end,
along with support provided by the Drupal Association on Drupal.org. This
means that automated testing services for Drupal 7 will be shut down, and
there will be no more updates provided by the Drupal Security Team.
When this occurs, Drupal 7 will be marked end-of-life in the update manager,
which appears in the Drupal administrative interface. Updates, security
fixes, and enhancements will no longer be provided by the community, but may
be available on a limited basis from select commercial vendors.
If you have a site that is running on Drupal 7, now is the time to start
planning the upgrade. Note that the transition from Drupal 8 to Drupal 9
will not be the significant effort that the transition from 7 to 8 was. In
fact, the first release of Drupal 9 will be identical to the last release of
Drupal 8, except with deprecated code removed and dependencies updated to
newer versions. (See Plan for Drupal 9 [2] for more information on Drupal 9.)
What this means for your Drupal 7 sites is, as of November 2021:
* Drupal 7 will no longer be supported by the community at large. The
community at large will no longer create new projects, fix bugs in
existing projects, write documentation, etc. around Drupal 7.
* There will be no more core commits to Drupal 7.
* The Drupal Security Team will no longer provide support or Security
Advisories for Drupal 7 core or contributed modules, themes, or other
projects. Reports about Drupal 7 vulnerabilities might become public
creating 0 day exploits.
* All Drupal 7 releases on all project pages will be flagged as not
supported. Maintainers can change that flag if they desire to.
* On Drupal 7 sites with the update status module, Drupal Core will show up
as unsupported.
* After November 2021, using Drupal 7 may be flagged as insecure in 3rd
party scans as it no longer gets support.
* Best practice is to not use unsupported software, it would not be
advisable to continue to build new Drupal 7 sites.
* Now is the time to start planning your migration to Drupal 8.
If, for any reason, you are unable to migrate to Drupal 8 or 9 by the time
version 7 reaches end of life, there will be a select number of organizations
that will provide Drupal 7 Vendor Extended Support (D7ES) for their paying
clients. This program is the successor to the successful Drupal 6 LTS
program. Like that program, it will be an additional paid service, fully
operated by these organizations with some help from the Security Team.
The Drupal Association and Drupal Security Team will publish an announcement
once we have selected the Drupal 7 Vendor Extended Support partners.
If you would like more information about the Drupal release cycle, consult
the official documentation on Drupal.org. If you would like more information
about the upcoming release of Drupal 9, join us at DrupalCon Seattle.
.... Information for organizations interested in providing commercial Drupal
7 Vendor Extended Support
Organizations interested in providing commercial Drupal 7 Vendor Extended
Support to their customers *and* who have the technical knowledge to maintain
Drupal 7 are invited to fill out the
application for the Drupal 7 Vendor Extended Support team [3]. The
application submission should explain why the vendor is a good fit for the
program, and explain how they meet the requirements as outlined below.
Base requirements for this program include:
* You must have experience in the public issue queue supporting Drupal 7
core or Drupal 7 Modules. You should be able to point to a history of
such contribution. One way to measure this is issue credits, but there
are other ways. You must continue this throughout your enrollment in
the
program. If you have other ways to show your experience, feel free to
highlight them.
* You must make a commitment to the Security Team, the Drupal Association,
and your customers that you will remain active in this program for 3
years.
* As a partner, you must contribute to at least 20% of all Drupal 7 Vendor
Extended Support module patches and 80% of D7ES core patches in a given
year. (Modules that have been moved into core in Drupal 8 count as part
of
core metrics in Drupal 7) .
* Any organization involved in this program must have at least 1 member on
the Drupal Security Team for at least 3 months prior to joining the
program and while a member of the program. (See How to join the Drupal
Security Team [4] for information.) This person will need a positive
evaluation of their contributions from the Security Working Group.
* Payment of an Drupal 7 Vendor Extended Support annual fee for program
participation is required (around $3000 a year). These fees will go to
communication tools for the Drupal 7 Vendor Extended Support vendors
and/or the greater community.
* Payment of a $450 application fee is required.
* Your company must provide paid support to Drupal 7 clients. This program
is not for companies that don't provide services to external clients.
Application review process:
1) We will confirm that each vendor meets the requirements outlined above
and is a good fit for the program.
2) If the Security Working Group does not think you are a good fit, we will
explain why and decline your application. If you are rejected, you are
able to reapply. Most rejections will be due to Organizations not
having
enough ongoing contribution to Drupal 7 and Organizations not having a
Drupal Security Team member at their organization.
3) The Drupal Association signs off on your participation in the program.
4) If you are accepted, you will be added to the Drupal 7 Vendor Extended
Support vendor mailing list.
5) The Security Working Group will do a coordinated announcement with the
vendors to promote the program.
If you have any questions you can email d7es at drupal.org
[1] https://www.drupal.org/blog/drupal-7-8-and-9
[2] https://www.drupal.org/blog/plan-for-drupal-9
[3] https://www.surveymonkey.com/r/D7ES
[4]
https://www.drupal.org/drupal-security-team/how-to-join-the-drupal-security…
View online: https://www.drupal.org/psa-2019-02-22
Date: 2019-February-23
Vulnerability: SA-CORE-2019-003 Notice of increased risk and Additional
exploit path
Description:
This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is
*not* an announcement of a new vulnerability. If you have not updated your
site as described in SA-CORE-2019-003 [1] you should do that now.
There are public exploits now available for this SA.
As far as we know, this is not being mass exploited at this time.
In the original SA we indicated this could be mitigated by blocking POST,
PATCH and PUT requests to web services resources, there is now a new way to
exploit this using GET requests.
The best mitigation is:
* If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10 [2].
* If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11 [3].
* Be sure to install any available security updates for contributed
projects
[4] after updating Drupal core.
This only applies to your site if:
* The site has the Drupal 8 core RESTful Web Services (rest) module
enabled.
OR
* The site has another web services module enabled, like JSON:API in Drupal
8, or Services or RESTful Web Services in Drupal 7, or custom code that
allows entity updates via non-form sources.
-------- WHAT TO DO IF YOUR SITE MAY BE COMPROMISED
--------------------------
Take a look at our existing documentation, ”Your Drupal site got hacked,
now what”. [5]
We’ll continue to update the SA [6] if novel types of exploit appear.
[1] https://www.drupal.org/SA-CORE-2019-003
[2] https://www.drupal.org/project/drupal/releases/8.6.10
[3] https://www.drupal.org/project/drupal/releases/8.5.11
[4] https://www.drupal.org/security/contrib
[5] https://www.drupal.org/node/2365547
[6] https://www.drupal.org/SA-CORE-2019-003