Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2106
Drupal Security Updates
18 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Drupal
Publisher: Drupal
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Request Forgery -- Remote with User Interaction
Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13665 CVE-2020-13664 CVE-2020-13663
Original Bulletin:
https://www.drupal.org/sa-core-2020-004
https://www.drupal.org/sa-core-2020-005
https://www.drupal.org/sa-core-2020-006
Comment: This bulletin contains three (3) Drupal security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Drupal core - Critical - Cross Site Request Forgery - SA-CORE-2020-004
Project: Drupal core
Date: 2020-June-17
Security risk: Critical 15/25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Request Forgery
CVE IDs: CVE-2020-13663
Description:
The Drupal core Form API does not properly handle certain form input from
cross-site requests, which can lead to other vulnerabilities.
Solution:
o If you are using Drupal 7.x, upgrade to Drupal 7.72 .
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By:
o Samuel Mortenson of the Drupal Security Team
o Dor Tumarkin
Fixed By:
o Greg Knaddison of the Drupal Security Team
o Samuel Mortenson of the Drupal Security Team
o Jess of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
o Angie Byron of the Drupal Security Team
o Peter Wolanin of the Drupal Security Team
o Daniel Wehner
o Dor Tumarkin
o Drew Webber of the Drupal Security Team
o Alex Pott of the Drupal Security Team
o David Snopek of the Drupal Security Team
- --------------------------------------------------------------------------------
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
Project: Drupal core
Date: 2020-June-17
Security risk: Critical 17/25
AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon
Vulnerability: Arbitrary PHP code execution
CVE IDs: CVE-2020-13664
Description:
Drupal 8 and 9 have a remote code execution vulnerability under certain
circumstances.
An attacker could trick an administrator into visiting a malicious site that
could result in creating a carefully named directory on the file system. With
this directory in place, an attacker could attempt to brute force a remote code
execution vulnerability.
Windows servers are most likely to be affected.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By:
o Lorenzo G
o Sam Thomas
Fixed By:
o Jess of the Drupal Security Team
o Samuel Mortenson of the Drupal Security Team
o Peter Wolanin of the Drupal Security Team
o Lorenzo G
o Lee Rowlands of the Drupal Security Team
o Greg Knaddison of the Drupal Security Team
o Cash Williams of the Drupal Security Team
o Heine of the Drupal Security Team
o Drew Webber of the Drupal Security Team
o Alex Pott of the Drupal Security Team
o Gabor Hojtsy
- --------------------------------------------------------------------------------
Drupal core - Less critical - Access bypass - SA-CORE-2020-006
Project: Drupal core
Date: 2020-June-17
Security risk: Less critical 8/25
AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon
Vulnerability: Access bypass
CVE IDs: CVE-2020-13665
Description:
JSON:API PATCH requests may bypass validation for certain fields.
By default, JSON:API works in a read-only mode which makes it impossible to
exploit the vulnerability. Only sites that have the read_only set to FALSE
under jsonapi.settings config are vulnerable.
Solution:
Install the latest version:
o If you are using Drupal 8.8.x, upgrade to Drupal 8.8.8 .
o If you are using Drupal 8.9.x, upgrade to Drupal 8.9.1 .
o If you are using Drupal 9.0.x, upgrade to Drupal 9.0.1 .
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security
coverage. Sites on 8.7.x or earlier should update to 8.8.8.
Reported By:
o Sergii Bondarenko
Fixed By:
o Sergii Bondarenko
o Wim Leers
o Jess of the Drupal Security Team
o Lee Rowlands of the Drupal Security Team
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXurT5eNLKJtyKPYoAQhzjw//XZCXNXv6haBcI+hsiDmpD3fs5BrvttZA
VPi4sMFJCKPUDmzfiM7JS50SbVtG2AbLBZGsvjcs22oDDnoKeEYtNOufg1NNyO61
Gs7D9j0luQ65TxDIbOZhioBjM7PTAXiozONhb2akRuzuOM1nFg0VR9dy00Azoe7A
9jhaL8oV+LQ0BNXyGGIr0RvH/SHRXA8AVj6BMAYNt3unAQXePGsJipK95b8oNcMs
k2L96ql2vHPOtTE6d3Xvhn1KFWRTMEO5Ev+pApBdj9jFk2dZ1BeaMSOxpFDhSfJu
el+KC0lQpUCL8FxGAe09iX8G8guAw1eCf0DUy1BxqLoZ+yXrYz2N5J7Dap76keyp
NGapI9GH9WXtCPbO4nD1AfpHY4S65bXqvOTrHpX8C1Oj/4WgI7HY7MDRRrYueeGY
elcbas98dwVMw8sb+Kcy2tAuadIPiQo7lwtF48yN2JHNizvZQeU+s9Vs/uRzLhxj
cYXSk9G2UsB0xZB4jdB74WO8WhKlYKhWXAs/UgJJ+hHnl8j+Riv9eLrnGkB6Q+O4
1QwsyLElHh40MS38Tq+ShUgOND0KxqFr95EBlWJxvDyY5SagmGg7zX+AYwlBqv+E
lRsfNUd01TV8aXd5uFs+19OF+SLmo0fITEcqKmKU3N72t1B1OYnuqkWbrjSW0wEf
JPpxRfZF6AI=
=xeE0
-----END PGP SIGNATURE-----