Critical Drupal Security Issue (DRUPAL-SA-CORE-2014-005) / safecomputing.umich.edu

Fri, 10/31/2014 - 12:00

Update: October 31, 2014

Drupal has announced that automated attacks began compromising Drupal 7 websites within hours of the announcement of the vulnerability. According to Drupal's website, "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."

Please see the Drupal announcement for details about damage control and recovery:

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

October 15, 2014

This message is intended for U-M IT staff who are responsible for websites that use Drupal.

The Drupal Security Team has issued a security advisory for Drupal 7 relating to a SQL injection vulnerability:

https://www.drupal.org/SA-CORE-2014-005

According to the Drupal security advisory:

Drupal core 7.x versions prior to 7.32 are affected, and the solution is to install the latest version of Drupal—Drupal core 7.32.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.This vulnerability can be exploited by anonymous users.

This is a critical security issue. If you or others in your units provide websites that use Drupal, you are urged to update your version of Drupal as soon as possible.