Drupal has released two additional security updates in the wake of the Drupalgeddon2 critical vulnerability patched on March 28. These updates continue to address vulnerabilities related to the remote code execution vulnerability found in March in both Drupal 7.x and 8.x applications.

April 18 Update

The first of these updates, released last week, addresses a moderately critical cross-site scripting vulnerability within CKEditor. While CKEditor is a collection of third-party JavaScript files, it is included by default with the Drupal core application. The CKEditor team found and patched this vulnerability before coordinating with Drupal developers to release the patch alongside normal Drupal updates.

April 25 Update
This week, Drupal released another critical security update to address a remote code execution vulnerability in the core application. This vulnerability, also related to the highly critical vulnerability patched in March, has been dubbed Drupalgeddon2. Drupal notes in the update that in order for the patch to work, sites must have already applied the updates from the vulnerability disclosed on March 28th. The following versions have been released for various Drupal applications:

  • For sites using Drupal 7.x, Drupal 7.59 has been released.
  • For sites using Drupal 8.5.x, Drupal 8.5.3 has been released.
  • For sites using Drupal 8.4.x, Drupal 8.4.8 has been released.

Please note that while Drupal 8.4.x is no longer supported, this release has been created to address security vulnerabilities in this version while users plan for full upgrades to the latest 8.5.3 core.

Possible Compromises

While exploits of the most recently patched vulnerabilities have not yet been spotted in the wild, Drupal notes that any site that has not been updated or patched may already be compromised. This assertion was supported by SiteLock data during the week of April 16-22. Malware infections on Drupal sites using SiteLock scanners doubled during this timeframe, which were likely the result of automated attack attempts against unpatched or out of date Drupal applications. It is crucial that any site using Drupal complete any necessary updates or patch these flaws as soon as possible to avoid lost data or malicious content. Additionally, Drupal notes in a PSA recently released, that Drupal sites which appear to have been upgraded without the site owner’s permission may actually be a sign of compromise.

Sites with SiteLock SMARTPLUS and SiteLock INFINITY services will be patched automatically on their next daily website scan. Additionally, if any malware is detected on those sites, it will be removed automatically.

For more information on how your Drupal application can be protected from malware and application vulnerabilities, call SiteLock today at 855.378.6200.