Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4711 Drupal project addresses four critical vulnerabilities 19 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Overwrite Arbitrary Files -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/sa-core-2019-009 https://www.drupal.org/sa-core-2019-010 https://www.drupal.org/sa-core-2019-011 https://www.drupal.org/sa-core-2019-012 - --------------------------BEGIN INCLUDED TEXT-------------------- Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009 Project: Drupal core Date: 2019-December-18 Security risk: Moderately critical AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All Vulnerability: Denial of Service Version: 8.8.x-dev 8.7.x-dev Description: A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt. Solution: Install the latest version: o If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 . o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 . Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage. To mitigate this issue in any version of Drupal 8, you can also block access to install.php if it's not required. Reported By: o Drew Webber of the Drupal Security Team Fixed By: o Drew Webber of the Drupal Security Team o Lee Rowlands of the Drupal Security Team o Heine of the Drupal Security Team o Alex Pott of the Drupal Security Team o Jess of the Drupal Security Team o Damien McKenna of the Drupal Security Team o David Snopek of the Drupal Security Team o Nathaniel Catchpole of the Drupal Security Team o Greg Knaddison of the Drupal Security Team - -------------------------------------------------------------------------------- Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010 Project: Drupal core Date: 2019-December-18 Security risk: Moderately critical AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default Vulnerability: Multiple vulnerabilities Version: 8.8.x-dev 8.7.x-dev Description: Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file. After this fix, file_save_upload() now trims leading and trailing dots from filenames. Solution: Install the latest version: o If you use Drupal core 8.7.x: 8.7.11 o If you use Drupal core 8.8.x: 8.8.1 Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage. Reported By: o Rohit Kapur o Filipe Reis o Dan Reif o mramydnei Fixed By: o Lee Rowlands of the Drupal Security Team o Greg Knaddison of the Drupal Security Team o Michael Hess of the Drupal Security Team o Kim Pepper o Alex Pott of the Drupal Security Team o Derek Wright o Jess of the Drupal Security Team o David Rothstein of the Drupal Security Team - -------------------------------------------------------------------------------- Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011 Project: Drupal core Date: 2019-December-18 Security risk: Moderately critical AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default Vulnerability: Access bypass Version: 8.8.x-dev 8.7.x-dev Description: The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations. Solution: o If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11 . o If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1 . Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage. Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on /admin/config/media/media-library . (This mitigation is not available in 8.7.x.) Reported By: o Adam G-H Fixed By: o Adam G-H o Jess of the Drupal Security Team o Andrei Mateescu o Greg Knaddison of the Drupal Security Team o Alex Bronstein of the Drupal Security Team o Sean Blommaert o Lee Rowlands of the Drupal Security Team - -------------------------------------------------------------------------------- Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012 Project: Drupal core Date: 2019-December-18 Security risk: Critical AC:Basic/A:User/CI:All/II:All/E:Proof/TD:Uncommon Vulnerability: Multiple vulnerabilities Version: 8.8.x-dev 8.7.x-dev 7.x-dev Description: The Drupal project uses the third-party library Archive_Tar , which has released a security update that impacts some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar , .tar.gz , .bz2 or .tlz file uploads and processes them. The latest versions of Drupal update Archive_Tar to 1.4.9 to mitigate the file processing vulnerabilities. Solution: Install the latest version: o If you are using Drupal 7.x, upgrade to Drupal 7.69 . o If you are using Drupal 8.7.x, upgrade to Drupal 8.7.11 . o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.1 . Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage. Reported By: o Jasper Mattsson Fixed By: o Lee Rowlands of the Drupal Security Team o Peter Wolanin of the Drupal Security Team o Sam Becker o Jasper Mattsson o David Rothstein of the Drupal Security Team o michieltcs o Ayesh Karunaratne o Alex Pott of the Drupal Security Team o Jess of the Drupal Security Team o Samuel Mortenson of the Drupal Security Team o Vijaya Chandran Mani Provisional Security Team Member o Drew Webber of the Drupal Security Team - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfrT6GaOgq3Tt24GAQhIhg//ZPlYgNbhmEPmkHLuKr/VgnoMtLIR8ACP lsyb8HIIyyf+Mk3THEZ7PK/67VQtL+0PsRMYL50Mjkg1qWTycWdoaQ3SUyaCH7lV Q+VCkXm+BskBSyiTwyvTUZ5tFzyCzKAs+MneI4smqb7Q776WgHIDf18+qQgNV7ag V1+Q/6RBPul7Rs7j/uJ+n+2Of2yHvbPmqmQUdXUfFoXq0REoKBQnoGsFIEif4t+G MDaxBZB8seYfi7KVjP4VtVpRksuuk+aFeoMY3A3wneiVoZJnLXwd6f2yqULsmnmu 1Pkyn7XaiMSHnVZlfahbiJ526V986wcC+Co6DQw/kh+u5XT/QO3BCNU4+YFtggGa ItvCQ9y8o2IRo/F/TjJMJj8rncxFL4OzDs5Wwz5HgQDSqCKBMM/wGmS46Daeals5 7ySVge+R2wIcI2TjJuZhBIXeSjQKAKn7yfGPd9WTk7x5Wr049pNWFMIBQjWaE7+c Quh+UaJ0WGjSsfaYuuoygLXiv0QcZnKBirw8cz8i6/JjtzXJ360Wuu+uyp5OmQcu BbAqGKIHaApFrcJ2DS/hMqR362X5bv4lAkbPramgJt4hz3i8IlKbPg2hh5kjwC01 0hFtHDalUJGIFgMAsLzr3bL+kjE9q4gQywziz62uyDCtfc9bjb4zImAb0/AljtpB 6brjr/mvQ10= =36XR -----END PGP SIGNATURE-----