The Drupal development team has fixed the drupalgeddon2 vulnerability that could be exploited by an attacker to take over a website.

A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.

The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.

drupalgeddon2

The good news is that at the time there is no public proof-of-concept code available online.

The Drupal security team declared that it was not aware of any attacks exploiting the Drupalgeddon2 vulnerability in the wild.

“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” reads the security advisory published by Drupal.

“The security team has written an FAQ about this issue. Solution:

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)”
Patching the websites it essential, the popular expert Kevin Beaumont noticed that the Drupal homepage was taken down for half an hour to address the Drupalgeddon2.

The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.

“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.