ADVISORY: Critical Drupal Security Issue (DRUPAL-SA-CORE-2014-005)

Friday, October 31, 2014

Update: October 31, 2014

Drupal has announced that automated attacks began compromising Drupal 7 websites within hours of the announcement of the vulnerability. According to Drupal's website, "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement."

Please see the Drupal announcement for details about damage control and recovery:

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

October 15, 2014

This message is intended for U-M IT staff who are responsible for websites that use Drupal.

The Drupal Security Team has issued a security advisory for Drupal 7 relating to a SQL injection vulnerability:

According to the Drupal security advisory:

Drupal core 7.x versions prior to 7.32 are affected, and the solution is to install the latest version of Drupal—Drupal core 7.32.

  • A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.
  • Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.This vulnerability can be exploited by anonymous users.

This is a critical security issue. If you or others in your units provide websites that use Drupal, you are urged to update your version of Drupal as soon as possible.