Drupal Issues Urgent Security Updates for Multiple Vulnerabilities
Drupal, the widely used open-source content management system, has announced critical security updates addressing several “moderately critical” vulnerabilities found in Drupal Core, posing potential risks to hundreds of thousands of websites. This alert serves as a crucial reminder for organizations relying on Drupal to ensure their systems are up-to-date to avoid exploitation.
The Drupal development team has published advisories indicating that the identified security flaws stem from third-party libraries integrated into Drupal 8.6, 8.5, and earlier versions, as well as Drupal 7. Among the vulnerabilities is a cross-site scripting (XSS) flaw linked to jQuery, a ubiquitous JavaScript library widely employed across the web and included in Drupal’s core package.
Last week, jQuery addressed this issue by releasing version 3.4.0, which resolves the vulnerability by mitigating unintended behaviors that could be exploited through unsanitized source objects. Notably, this vulnerability remains unassigned a CVE number at this time, yet it is critical due to its potential exploitation within various Drupal modules.
Further vulnerabilities are associated with Symfony PHP components utilized by Drupal Core, which may lead to cross-site scripting (CVE-2019-10909), remote code execution (CVE-2019-10910), and authentication bypass (CVE-2019-10911) attacks. Given the considerable interest hackers have shown in Drupal exploits, organizations are strongly urged to promptly implement the latest CMS updates. Specifically, users of Drupal 8.6 should upgrade to version 8.6.15, those operating on Drupal 8.5 or earlier should upgrade to 8.5.15, and users of Drupal 7 should update to version 7.66.
This month’s disclosures follow a critical remote code execution vulnerability acknowledged in previous patches, which attracted attention due to the subsequent release of proof-of-concept exploit code. Just two days post-release, various threat actors began actively exploiting this vulnerability across vulnerable Drupal websites, further emphasizing the imperative for organizations to maintain vigilance.
Historically, Drupal has been a target for mass cyber-attacks, such as the well-documented Drupalgeddon2 and Drupalgeddon3 incidents last year. Such events underscored how rapidly vulnerabilities can be exploited once exploit code becomes available publicly, often leading to widespread consequences for affected sites.
Through the lens of the MITRE ATT&CK framework, potential tactics employed in these attacks may include initial access techniques, often leveraged by adversaries making use of known vulnerabilities and exploits, as well as privilege escalation and persistence methods that hackers utilize to maintain access and control over compromised assets.
In conclusion, the urgency of applying these security patches cannot be overstated. Organizations using Drupal should prioritize these updates to safeguard their digital assets from imminent threats, reinforcing the need for proactive cybersecurity measures as the landscape of vulnerabilities continues to evolve.