Update Drupal for CKEditor cross-site scripting vulnerability
This message was sent to U-M IT groups on Friday, November 19, 2021. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.
Summary
Problem
Drupal core uses a third-party CKEditor library. Any website running a vulnerable version of CKEditor is at risk. An attacker who can create or edit content (even without access to CKEditor) may be able to exploit one or more cross-site scripting (XSS) vulnerabilities to target users with access to CKEditor, including site admins with elevated access.
Threats
An attacker could exploit this vulnerability to take control of an affected system.
Affected Versions
- Security updates are available for Drupal 8.9, 9.1, and 9.2.
- Security updates are not available for versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x. These versions are end-of-life and do not receive security coverage.
Action Items
Update to the latest version as soon as possible after appropriate testing:
- If you are using Drupal 9.2, update to Drupal 9.2.9.
- If you are using Drupal 9.1, update to Drupal 9.1.14.
- If you are using Drupal 8.9, update to Drupal 8.9.20. Note that Drupal 8 has reached its end of life so this is the final security release provided for Drupal 8.
- If you are using the CKEditor library via means other than Drupal core, update your 3rd party code (for example, the WYSIWYG module for Drupal 7).
How We Protect U-M
ITS Information Assurance is working with ITS staff who manage systems running Drupal and notifying others across the university to ensure the updates are applied in a timely manner.
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Drupal Releases Security Updates (Cybersecurity & Infrastructure Security Agency, 11/18/21)
- Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011 (Drupal, 11/17/21)
- CKEditor 4.17 with enhanced Base64 images support, delayed editor initialization, and security fixes (CKEditor Ecosystem Blog, 11/1/21)