27 March 2018

Important Drupal security update incoming. What you need to know…

This Wednesday, a Drupal update is coming to fix a major security vulnerability - thanks to the incredible Drupal Security Team. As always, they’ve been working tirelessly with members of the community on update “PSA-2018-001” which some are starting to label “Drupalgeddon 2.0” because of its severity and potential impact - similar to 2014’s update.

Whilst everyone at Wunder HQ is prepared for Wednesday, I wanted to spend a little bit of time explaining this update, what makes it so special, what this means for you Drupal users out there, and how you can prepare yourselves for its release.

What is this security update all about?

The Drupal Security Team announced last Wednesday (21st March 2018) that a major security update is due to release on the evening of Wednesday 28th March. Here’s the official notification: https://www.drupal.org/psa-2018-001.

Like any robust software, it’s not unusual for security updates to be rolled out. In fact, the diligence of the Drupal Security Team is a major factor behind Drupal being praised as one of the most secure enterprise-level content management systems in the market (trusted by FTSE 100 companies, higher education institutions, governments, and more).

There are, however, some characteristics worth noting about this particular update that make it a big deal.

The first major security update since 2014’s Drupalgeddon

Back in 2014, the Drupal Security Team released a highly critical security update that was labelled Drupalgeddon by the community - officially known as “SA-CORE-2014-005”. This update was given 25/25 on the security risk score, meaning that little effort was needed to exploit the vulnerability and any private data could be obtained from any site by hackers without even needing a user account on the sites in question.

Back then, Drupal users were notified a week before the update was released and it took around 7 hours before vulnerabilities were reported as exploited. It was clear that Drupal users had to act fast to stay safe.

Jump forward to March 2018 and the initial signs of PSA-2018-001 sound very similar:

  • One week’s notice for a highly critical security vulnerability fix
  • “...exploits might be developed within hours or days...”

The added support for older Drupal versions also emphasises the seriousness of this security update:

“While Drupal 8.3.x and 8.4.x are no longer supported and we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0.”

Not only does this update concern Drupal 8 sites but also Drupal 7 and 6 - updates for which will be provided in due course.

Following protocol, the Drupal Security Team are not releasing any more information about this update until Wednesday 28th March between 18:00 - 19:30 UTC to reduce the risk of hackers developing exploits whilst fixes are being applied.

What we know:

  • This is a highly critical update
  • Updates should be applied as soon as they are released
  • This will not require a database update

We expect more information to become available on Wednesday, such as the security risk score, estimated fix time, and of course a description of the vulnerabilities to be fixed.

What does this mean for Drupal users?

In short, anyone who is using the Drupal CMS for their web publishing platform, intranet, web services and more, needs to have their development teams prepared to act as soon as this Wednesday’s update is released. Wunder Care customers need not worry, our vast team of Drupal developers have got you covered!

How can I prepare?

Based on Drupal update best practices, the following activities are worth considering, depending on your development setup:

  • Speak with your internal development team and prepare them to start applying the updates as soon as they become available on March 28th between 18:00 - 19:30 UTC
  • If you’re working with a Drupal agency, ask them how they’re going to handle the update and ensure that they’re also prepared. For reference, Wunder’s developers will be working on client sites from the second that updates become available.
  • Keep your eye on the Drupal core updates page and look out for the latest post advising on what to do on March 28th: https://www.drupal.org/security. You can also sign up to the email list to get updates: “log in on drupal.org, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.”
  • Backup your current website so that you have a clean copy of your website’s code and database available prior to the update release. If anything happens, at least you have a version you can use and fix.
  • If you struggle to allocate resources who can carry out the update within the recommended time frame, you might have to consider putting your site into maintenance mode to reduce the risk of any vulnerabilities getting exploited until you can start implementing the updates. Unfortunately, this will mean that your web services will be unavailable to your users during this time.
Additional helpful information

To find out more about this security update, check out these helpful resources:

 
Looking for Drupal web services?

Wunder are Europe’s largest Drupal specialist agency. Start a Drupal project with Wunder today: