Three Drupal updates patch critical vulnerabilities

One of the three critical vulnerabilities patched last week in the Drupal web content management system allows for remote code execution.

Drupal is one of the most popular content management systems in use, and the vulnerability described in CVE-2017-6920 gives an attacker the same capabilities on the system as Drupal itself.
This vulnerability is in the PECL YAML parser and is related to a bug found recently in PHP.  PHP updated their documentation alerting developers to not pass unsanitized user input to these functions, which did not “fix” the vulnerability.
Drupal updated their code, changing the way they pass input to the affected functions and is no longer vulnerable to this attack vector.
YAML parsing vulnerabilities have led to quick widespread exploitation in the past, in multiple web frameworks and languages, and are thus considered quite dangerous.

Recent high profile website hack and defacements emphasize the need to check your content management system implementation and ensure it is up to date.

  • Tactical recommendation: If your organization has deployed Drupal, update to Drupal 8.3.4 or Drupal 7.56, as both branches include the fixes for these vulnerabilities.
  • Strategic recommendation: Consider using a static publishing script to separate your editing/publishing platform from your delivery system. This allows your team to reap the benefits of a content management system, and couples it with the security of a static site. WordPress, Drupal, and other popular systems have static publishing plugins or scripts.
Additional Resources
Drupal update:
CVE Entries for the three Drupal vulnerabilities:
Example static publishing plugins: