ADVISORY: Update Drupal to address API vulnerability

Friday, April 23, 2021

The information below was sent to U-M IT groups on April 23, 2021. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.

Summary

Drupal has released security updates to address a vulnerability affecting Drupal 7, 8.9, 9.0, and 9.1. Update to the latest version as soon as possible after appropriate testing. Drupal is a web content management system.

Problem

Drupal core's sanitization API fails to properly filter cross-site scripting under certain circumstances.

Affected Versions

Drupal 7, 8.9, 9.0, and 9.1

Action Items

Update to the latest version as soon as possible after appropriate testing:

According to Drupal: "Not all sites and users are affected, but configuration changes to prevent the exploit might be impractical and will vary between sites. Therefore, we recommend all sites update to this release as soon as possible."

Updates for U-M services:

  • ITS Web Application Hosting. If you have an affected Drupal installation through ITS Web Hosting, you will need to update it.    
  • U-M Hosting Platform. Drupal on the U-M Hosting Platform has been updated for you. If you use this service, you do not need to take action.

Threats

An attacker could exploit this vulnerability to take control of an affected system.

How We Protect U-M

ITS Information Assurance is working with ITS staff who manage systems running Drupal and notifying others across the university to ensure the updates are applied in a timely manner.

Information for Users

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.