Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Drupal Releases Out-of-Band Security Updates Due to Availability of Exploits

The developers of the Drupal content management system (CMS) released out-of-band security updates right before Thanksgiving due to the availability of exploits.

The core updates released for Drupal 7, 8.8, 8.9 and 9.0 on November 25 address a couple of vulnerabilities affecting PEAR Archive_Tar, a third-party library designed for handling .tar files in PHP.

The developers of the library released an update recently to address two vulnerabilities, tracked as CVE-2020-28948 and CVE-2020-28949, that can be exploited to bypass Phar unresialization protections.

Exploitation involves manipulating file names and it can allow an attacker to execute arbitrary PHP code or overwrite files, including important files such as /etc/passwd and /etc/shadow.

The researcher who reported the vulnerabilities to PEAR developers also made public proof-of-concept (PoC) exploits so Drupal decided to roll out the patches to its users as soon as possible.

“According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable,” Drupal noted in its advisory.

Drupal developers pointed out that exploitation is possible if the CMS is configured to allow uploading .tar, .tar.gz, .bz2 or .tlz files. Similar vulnerabilities related to the same PEAR library were patched one year ago, but Drupal noted that they are not related, although the same types of configuration changes can mitigate the issue. The recommended mitigation involves preventing untrusted users from uploading files with the aforementioned extensions.

The latest updates have been assigned a “critical” severity rating, but it’s worth mentioning that Drupal uses the NIST Common Misuse Scoring System, which assigns vulnerabilities a score ranging between 0 and 25, with “critical” being only the second highest rating, after “highly critical.”

This is the sixth security update released this year for Drupal. The fifth was released earlier this month to patch a remote code execution vulnerability related to failure to properly sanitize the names of uploaded files.

Source: https://www.securityweek.com/drupal-releases-out-band-security-updates-due-availability-exploits?&web_view=true

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO