ALERT: Update Drupal for vulnerability

Wednesday, February 20, 2019

IA Update: 2/20/19, 2:25 p.m.

Drupal has released the security advisory promised for this afternoon: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003.

IA urges those responsible for systems running Drupal to update Drupal immediately as outlined in the advisory.

Affected Versions/Configurations

  • A site is only affected by this if one of the following conditions is met:
  • The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or
  • The site has another web services module enabled (like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7).

Action Items

Initial Alert: 2/20/19, 10:15 a.m.

This infomation was sent via email to multiple U-M IT staff groups February 20, 2019. It is intended for U-M IT staff who are responsible for university websites that use the Drupal content management system.


Drupal reports that it will provide a “highly critical” security release sometime this afternoon (February 20) to address a vulnerability that may allow attackers to compromise Drupal sites. Watch for further details today and apply the update as soon as possible after appropriate testing.


The Drupal Security Team has not released any detailed information about the vulnerability and will not do so until the security release is available. The vulnerability is rated as "highly critical," which is defined as: "Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally required for the exploit to be successful."


The vulnerability is rated as "highly critical," which is defined as: "Remotely exploitable vulnerabilities that can compromise the system. Interaction is not normally required for this exploit to be successful." See Drupal security risk levels defined.

Affected Versions

  • The security release will be for Drupal 8.5.x and 8.6.x.
  • If you are running Drupal 7, no core update is required, but you may need to update contributed modules if you are using an affected module.
  • It is unclear whether any other versions are affected at this time.

Action Items

Drupal asks that you, "Reserve time on February 20 during the release window to determine whether your sites are affected and in need of an immediate update." Drupal adds, "Mitigation information will be included in the advisory." The most recent information from the Drupal Security team indicates that the release window is between 1:00 and 5:00 p.m. Eastern Standard Time.

Watch for the critical security release from Drupal this afternoon. The release will be announced:

Updates for U-M services:

  • ITS Web Application Hosting. If you have an affected Drupal installation through ITS Web Hosting, you will need to update it.    
  • U-M Hosting Platform. Drupal on the U-M Hosting Platform will be updated for you. If you use this service, you do not need to take action.

How We Protect U-M

Information Assurance is working with ITS staff who manage systems running Drupal and notifying others across the university to ensure the updates are applied in a timely manner.

Information for Users

Drupal is a content management system used to manage website content. Administrators of systems running Drupal need to apply the update. Content managers and website users do not need to do anything.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.