An update for the Drupal CMS has been released that corrects a critical vulnerability – CVE-2019-6340 – which, if exploited, could allow the execution of arbitrary PHP code. The vulnerability is the result of improper sanitization of data in certain field types.
Exploitation of the vulnerability is possible if the core RESTful Web Services module is enabled and PATCH and POST requests are allowed. It is also possible for the vulnerability to be exploited if other web services modules are enabled, such as JSON:API in Drupal 8, or in Drupal 7, if Services or RESTful Web Services are enabled.
Drupal notes that it is not necessary to update the Drupal 7 Services module, although the recent update does need to be applied if Services is in use as the update includes several other important fixes. Users whose site has the Drupal 8 core RESTful Web Services module enabled and allow PATCH and POST requests should upgrade as soon as possible.
Users of Drupal 8.6.x should upgrade to Drupal 8.6.10 and users of Drupal 8.5.x and earlier versions should upgrade to Drupal 8.5.11. Drupal has advised users that earlier versions than Drupal 8.5.x are not supported and security updates are no longer issued. After updating Drupal core, available security updates for contributed projects should be performed.
If it is not possible to perform the update, a workaround is to disable all web services and to configure the web server not to accept PUT/PTACH/POST requests to web services resources. If this option is preferred, be aware than web services resources may be available on multiple paths. Drupal 7 resources are typically available via paths (clean URLs) and via arguments to the “q” query argument. Drupal 8 paths could still function when prefixed with index.php/.
It is not uncommon for Drupal vulnerabilities to be exploited on unpatched sites soon after security updates are issued. It is therefore strongly recommended to apply the updates as soon as possible. There have been several cases of unpatched sites being attacked to install cryptocurrency miners, RATs, and other malicious content.