ADVISORY: Critical Drupal Security Issue (DRUPAL-SA-CORE-2014-005)
Friday, October 31, 2014
Update: October 31, 2014
Drupal has announced that automated attacks began compromising Drupal 7 websites within hours of the announcement of the vulnerability. According to Drupal's website, "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."
Please see the Drupal announcement for details about damage control and recovery:
October 15, 2014
This message is intended for U-M IT staff who are responsible for websites that use Drupal.
The Drupal Security Team has issued a security advisory for Drupal 7 relating to a SQL injection vulnerability:
According to the Drupal security advisory:
Drupal core 7.x versions prior to 7.32 are affected, and the solution is to install the latest version of Drupal—Drupal core 7.32.
- A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
- Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.This vulnerability can be exploited by anonymous users.
This is a critical security issue. If you or others in your units provide websites that use Drupal, you are urged to update your version of Drupal as soon as possible.