Drupal Zero Day

ITS Advisory Number: 
2018-033
Date(s) Issued: 
Thursday, March 29, 2018
Subject: 
Drupal Zero Day
Overview: 

 There will be a security release for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 2:00 - 3:30 EST, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page, which can be found in the references below.

Systems Affected: 
  • Drupal versions 7.x, 8.3.x, 8.4.x, and 8.5.x
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

There will be a security release for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 2:00 - 3:30 EST, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page, which can be found in the references below.

Actions: 
  • After appropriate testing, immediately apply the updates that will be provided by Drupal to the vulnerable systems.
  • Ensure no unauthorized systems changes have occurred before applying patches.
  • Run all software as a non-privileged user to diminish effects of a successful attack.
  • Apply the Principle of Least Privilege to all systems and services. 
  • Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.