Update Drupal to address critical vulnerabilities

July 14, 2016: This information is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.

Summary

Drupal has has announced updates to multiple third-party modules that address highly critical vulnerabilities that could allow remote code execution. These vulnerable modules are third-party projects that are not part of Drupal core.

Threats

There are already reports of exploits in the wild. Exploitation could result in arbitrary PHP code execution by anonymous users. Vulnerable Drupal sites may be compromised quickly.

Affected Versions

According to the Drupal website, Drupal sites using the vulnerable third-party modules are affected, and security releases are available to address the vulnerabilities. IIA’s estimate is that only a small percentage of Drupal sites are likely to be affected. The affected module versions are:

  • RESTful Web Services 7.x-2.x versions prior to 7.x-2.6
  • RESTful Web Services 7.x-1.x versions prior to 7.x-1.7
  • Coder module 7.x-1.x versions prior to 7.x-1.3
  • Coder module 7.x-2.x versions prior to 7.x-2.6
  • Webform Multifile 7.x-1.x versions prior to 7.x-1.4

Action Items

If the vulnerable third-party modules are in use, update them as soon as possible. Drupal core is not affected. If you do not use these modules, there is nothing you need to do.

Information for Users

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the updates if the vulnerable third-party modules are in use. Users of those systems, and people who use Drupal to update web content, do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact [email protected].