[Security-news] SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22

[security-news at drupal.org]

View online: https://www.drupal.org/psa-2019-02-22

Date: 2019-February-23
Vulnerability: SA-CORE-2019-003 Notice of increased risk and Additional
exploit path

Description: 
This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is
*not* an announcement of a new vulnerability. If you have not updated your
site as described in SA-CORE-2019-003 [1] you should do that now.

There are public exploits now available for this SA.

As far as we know, this is not being mass exploited at this time.

In the original SA we indicated this could be mitigated by blocking POST,
PATCH and PUT requests to web services resources, there is now a new way to
exploit this using GET requests.

The best mitigation is:

   * If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10 [2].
   * If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11 [3].
   * Be sure to install any available security updates for contributed 
projects
     [4] after updating Drupal core.

This only applies to your site if:

   * The site has the Drupal 8 core RESTful Web Services (rest) module 
enabled.
OR

   * The site has another web services module enabled, like JSON:API in Drupal
     8, or Services or RESTful Web Services in Drupal 7, or custom code that
     allows entity updates via non-form sources.

-------- WHAT TO DO IF YOUR SITE MAY BE COMPROMISED
--------------------------

Take a look at our existing documentation, ”Your Drupal site got hacked,
now what”. [5]
We’ll continue to update the SA [6] if novel types of exploit appear.


[1] https://www.drupal.org/SA-CORE-2019-003
[2] https://www.drupal.org/project/drupal/releases/8.6.10
[3] https://www.drupal.org/project/drupal/releases/8.5.11
[4] https://www.drupal.org/security/contrib
[5] https://www.drupal.org/node/2365547
[6] https://www.drupal.org/SA-CORE-2019-003