Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22
  • Date: Sat, 23 Feb 2019 01:23:47 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/psa-2019-02-22

Date: 2019-February-23
Vulnerability: SA-CORE-2019-003 Notice of increased risk and Additional
exploit path

Description: 
This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is
*not* an announcement of a new vulnerability. If you have not updated your
site as described in SA-CORE-2019-003 [1] you should do that now.

There are public exploits now available for this SA.

As far as we know, this is not being mass exploited at this time.

In the original SA we indicated this could be mitigated by blocking POST,
PATCH and PUT requests to web services resources, there is now a new way to
exploit this using GET requests.

The best mitigation is:

* If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10 [2].
* If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11 [3].
* Be sure to install any available security updates for contributed projects
[4] after updating Drupal core.

This only applies to your site if:

* The site has the Drupal 8 core RESTful Web Services (rest) module enabled.
OR

* The site has another web services module enabled, like JSON:API in Drupal
8, or Services or RESTful Web Services in Drupal 7, or custom code that
allows entity updates via non-form sources.

-------- WHAT TO DO IF YOUR SITE MAY BE COMPROMISED
--------------------------

Take a look at our existing documentation, ”Your Drupal site got hacked,
now what”. [5]
We’ll continue to update the SA [6] if novel types of exploit appear.


[1] https://www.drupal.org/SA-CORE-2019-003
[2] https://www.drupal.org/project/drupal/releases/8.6.10
[3] https://www.drupal.org/project/drupal/releases/8.5.11
[4] https://www.drupal.org/security/contrib
[5] https://www.drupal.org/node/2365547
[6] https://www.drupal.org/SA-CORE-2019-003

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] SA-CORE-2019-003 Notice of increased risk and Additional exploit path - PSA-2019-02-22, security-news, 23.02.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang