View online: https://www.drupal.org/sa-core-2019-003

Project: Drupal core [1]
Date: 2019-February-20
Security risk: *Highly critical* 20∕25
AC:None/A:None/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Remote Code Execution

CVE IDs: CVE-2019-6340
Description: 
Some field types do not properly sanitize data from non-form sources. This
can lead to arbitrary PHP code execution in some cases.

A site is only affected by this if one of the following conditions is met:

* The site has the Drupal 8 core RESTful Web Services (rest) module enabled
and allows PATCH or POST requests, or
* the site has another web services module enabled (like JSON:API [3] in
Drupal 8, or Services [4] or RESTful Web Services [5] in Drupal 7).

Solution: 
* If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10 [6].
* If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11 [7].
* Be sure to install any available security updates for contributed
projects
[8] after updating Drupal core.
* No core update is required for Drupal 7, but several Drupal 7 contributed
modules [9] do require updates.

Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive
security coverage.

To immediately mitigate the vulnerability, you can disable all web services
modules, or configure your web server(s) to not allow PUT/PATCH/POST requests
to web services resources. Note that web services resources may be available
on multiple paths depending on the configuration of your server(s). For
Drupal 7, resources are for example typically available via paths (clean
URLs) and via arguments to the “q” query argument. For Drupal 8, paths may
still function when prefixed with index.php/.

Reported By: 
* Samuel Mortenson [10] of the Drupal Security Team

Fixed By: 
* Sascha Grossenbacher [11]
* Peter Wolanin [12] of the Drupal Security Team
* Samuel Mortenson [13] of the Drupal Security Team
* Daniel Wehner [14]
* Cash Williams [15] of the Drupal Security Team
* Wim Leers [16]
* Jess [17] of the Drupal Security Team
* Lee Rowlands [18] of the Drupal Security Team
* Alex Pott [19] of the Drupal Security Team
* Francesco Placella [20]
* Damian Lee [21]
* Tobias Zimmermann [22]
* Ted Bowman [23]
* Damien McKenna [24] of the Drupal Security Team
* Alex Bronstein [25] of the Drupal Security Team
* Rob Loach [26]
* Gabe Sullice [27]
* Michael Hess [28] of the Drupal Security Team
* Neil Drumm [29] of the Drupal Security Team
* Heshan Wanigasooriya [30]
* David Snopek [31] of the Drupal Security Team
* Wolfgang Ziegler [32]
* Miro Dietiker [33]
* Truls S. Yggeseth [34]

[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/jsonapi
[4] https://www.drupal.org/project/services
[5] https://www.drupal.org/project/restws
[6] https://www.drupal.org/project/drupal/releases/8.6.10
[7] https://www.drupal.org/project/drupal/releases/8.5.11
[8] https://www.drupal.org/security/contrib
[9] https://www.drupal.org/security/contrib
[10] https://www.drupal.org/user/2582268
[11] https://www.drupal.org/user/214652
[12] https://www.drupal.org/user/49851
[13] https://www.drupal.org/user/2582268
[14] https://www.drupal.org/user/99340
[15] https://www.drupal.org/user/421070
[16] https://www.drupal.org/user/99777
[17] https://www.drupal.org/user/65776
[18] https://www.drupal.org/user/395439
[19] https://www.drupal.org/user/157725
[20] https://www.drupal.org/user/183211
[21] https://www.drupal.org/user/1037976
[22] https://www.drupal.org/user/107158
[23] https://www.drupal.org/user/240860
[24] https://www.drupal.org/user/108450
[25] https://www.drupal.org/user/78040
[26] https://www.drupal.org/user/61114
[27] https://www.drupal.org/user/2287430
[28] https://www.drupal.org/user/102818
[29] https://www.drupal.org/user/3064
[30] https://www.drupal.org/user/199102
[31] https://www.drupal.org/user/266527
[32] https://www.drupal.org/user/16747
[33] https://www.drupal.org/user/227761
[34] https://www.drupal.org/user/325866

_______________________________________________
Security-news mailing list
Security-news@drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news