Description

Drupal has released security updates to address a vulnerability affecting Drupal CMS 8.9, 9,1 and 9.2 versions. Successful exploitation of these vulnerabilities could allow for remote code execution or an attacker could take control of an unpatched system.

Security Risks

The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. The vulnerability (third-party libraries) is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.

Recommendation

The National Cyber Security Authority recommends all Drupal users and administrators to install the latest version as follows:

•  If you are using Drupal 9.2, update to Drupal 9.2.2.

•  If you are using Drupal 9.1, update to Drupal 9.1.11.

•  If you are using Drupal 8.9, update to Drupal 8.9.17.

•  If you are using Drupal 7, update to Drupal 7.82.

Versions of Drupal 8 prior to 8.9.x and versions of Drupal 9 prior to 9.1.x are end-of-life and do not receive security coverage. Where Drupal versions in use are at end-of-life, you are advised to install immediately Drupal 9.2.2, which is the latest stable release of Drupal core. Drupal users and administrators should continually check for software versions and update as new versions become available.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email to rwcsirt@ncsa.gov.rw or call us on 9009

Reference

Drupal Core - Security Advisories
https://www.drupal.org/sa-core-2021-004

Related Files

•  Alert_-_Drupal_CMS_Vulnerability_and_Security_Updates_-_July_2021.pdf 487 KB