Articles

A follow-up to highly critical Drupal security update incoming: How to prepare

Peeter Pratka
By Peeter Pratka

Drupal Security

The Drupal Security Team (DST) has been pretty busy these past weeks and this trend seems to continue. After two important security updates within a short period of time, ranging from highly critical to moderately critical, another critical Drupal core security update is due to be released this Wednesday (April 25th) between 16:00 and 18:00 UTC. Applying it asap is strongly recommended to protect your projects from being exploited as soon as the update is out. In this post, I am covering what you need to know right now and how to prepare.

The current security update surprised many of us: Drupalgeddon 2.0 still feels pretty fresh. Back then, it almost appeared as if hackers were slacking off a bit in creating exploits. However, when two weeks post-release the exploit for the vulnerability was published, automated exploits appeared in a matter of hours. So no surprises there, finding vulnerable sites have always proven to be good business for malware groups – and it still is. If you want to know why, check out this solid article on Ars Technica.

Does this mean that all the effort we put into updating the sites in a couple of hours was pointless because there really was no threat until weeks later? Absolutely not. My rule of thumb: Hope for the best but prepare for the worst. Nobody could have known beforehand that we had an extra couple of weeks of relative safety on our hands, and neither do we know this time. So, please don’t take any chances and update as soon as possible.

What we currently know about the upcoming security update

It is a critical update. And we only have two days to prepare for it – instead of a whole week like last time. From what you can tell it seems to be a category less critical than DG 2.0. Anyhow: updates should be applied as soon as they are released. Doing so will not require a database update. This time, the 8.3x branch is not covered, however, it needs to be updated, too. I recommend trying the patches meant for 8.4 since they also might do the trick for that one.

Important notice regarding Drupal 6

We need to keep an eye on the LTS vendor repositories. And definitely do so when it comes to the following repos – if you want to keep your installation safe:
D6LTS: https://cgit.drupalcode.org/d6lts
Pressflow: https://github.com/pressflow/6/releases

How can I prepare?

In my post on Drupalgeddon 2.0, I’ve already shared my insights on how to prepare for the security update. I would say that my recommendations also apply to the current case, that’s for sure.

You know what they say:

Repetition is the mother of learning, the father of action, which makes it the architect of accomplishment

So, in that spirit, let’s go over my key tips once more.

Security update hands-on: This is what you should do

The following activities are worth considering. They’re based on Drupal update best practices but might vary slightly, depending on your development setup:

  • Speak with your internal development team and prepare them to start applying the updates as soon as they become available on April 25th between 16:00 – 20:00 UTC. Communication is key as they need to understand what you require from them.
  • If you’re working with a Drupal agency, ask them how they’re going to handle the update and ensure that they’re also prepared. For reference, Wunder’s developers will be working on client sites from the second that updates become available.
  • Keep your eye on the Drupal core updates page and look out for the latest post advising on what to do on April 25th: https://www.drupal.org/security. You can also sign up to the email list to get updates: “log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.”
  • Backup your current website so, that you have a clean copy of your website’s code and database available prior to the update release. If anything happens, at least you have a version you can use and fix.
  • If you struggle to allocate resources who can carry out the update within the recommended time frame, you might have to consider putting your site into maintenance mode to reduce the risk of any vulnerabilities getting exploited until you can start implementing the updates. Unfortunately, this will mean that your web services will be unavailable to your users during this time.

As you can see the process is pretty much the same as it was with Drupalgeddon 2.0 – because it works. Good communication between the team members who are taking care of this is key. As long as they remember last month’s patch night they should be aware of the process and, hopefully, will get it done even faster this time around.

Last but not least: Huge shout-out to the DST!

The Drupal Security Team truly is on a roll. Sure, the current security update does interrupt everyone’s development cycles left, right and centre. I can only imagine everyone suffering a bit from what I would call a ‘security update fatigue’, but there really is nothing we can do against it. However, let’s appreciate all the hard work and extra hours they are dedicating towards website security. Keep up the good work!

My top recommendations for some extra reading:

Drupal automatic security update discussion:
https://www.drupal.org/project/drupal/issues/2367319
Technical analysis of Drupalgeddon 2.0
https://research.checkpoint.com/uncovering-drupalgeddon-2/
Aftermath after exploit was published
https://arstechnica.com/information-technology/2018/04/drupalgeddon2-touches-off-arms-race-to-mass-exploit-powerful-web-servers/
https://vulners.com/impervablog/IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644
How Wunder prepared for the patch night and how it went
https://wunder.io/blog/important-drupal-security-update-march-2018
https://wunder.io/blog/drupal-security-update-wunder-clients-safe-and-sound