Urgent updates are once again necessary for websites running on Drupal. This marks the third critical patch release in the span of just 30 days, following a recent notification from the Drupal team regarding a significant remote code execution (RCE) vulnerability affecting versions 7 and 8 of its core software. As one of the most widely used open-source content management systems, Drupal powers millions of websites globally. However, it has increasingly become the target of malicious attacks since the alarming disclosure of vulnerabilities.
The new exploit, identified as CVE-2018-7602, was discovered during investigations tied to the previously reported RCE vulnerability, known as Drupalgeddon2 (CVE-2018-7600). Following the initial patch on March 28, the urgency for a follow-up update has escalated due to the potential for attackers to fully compromise vulnerable websites. According to a recent advisory from Drupal, swift action to patch the system is imperative, as these vulnerabilities pose serious risks to site security.
Administrators have been specifically urged to implement the recommended security patches without delay. If currently operating on version 7.x, an upgrade to Drupal 7.59 is necessary. For those on version 8.5.x, the update to Drupal 8.5.3 is required. Users still on the unsupported 8.4.x version must first update to 8.4.8 before moving to the latest 8.5.3 release. The successful application of these patches is contingent upon prior implementations related to the Drupalgeddon2 flaw.
A Drupal representative indicated that while the new vulnerability poses complex challenges for exploitation, the risks remain significant. Technical specifications regarding this latest flaw, potentially termed Drupalgeddon3, have yet to be fully disclosed in official communications. However, the increasing frequency of vulnerabilities emphasizes the importance of proactive security management.
Recent historical context suggests that attackers have effectively capitalized on newly disclosed weaknesses, as observed with Drupalgeddon2. Exploits have facilitated the injection of malicious code, cryptocurrency miners, and other detrimental software into compromised sites within mere hours of vulnerabilities becoming public knowledge. This pattern puts all Drupal administrators on high alert, emphasizing the immediate need for updates.
In addition to the RCE vulnerabilities, a recent patch addressed a moderately critical cross-site scripting (XSS) vulnerability that could enable sophisticated attacks, jeopardizing user data through threats such as cookie theft and phishing attacks. The cumulative effect of these security risks places an obligation on website owners to remain vigilant and responsive to updates.
As such, urgent attention is directed toward all Drupal-powered websites to reduce exposure to these evolving threats. With the complexities surrounding these vulnerabilities, timely updates and robust security measures are critical.