JPCERT-AT-2014-0042
JPCERT/CC
2014-10-21(Initial)
2014-10-22(Update)
<<< JPCERT/CC Alert 2014-10-21 >>>
Vulnerability in Drupal
https://www.jpcert.or.jp/english/at/2014/at140042.html
I. Overview
Drupal contains a SQL injection vulnerability. A remote attacker
leveraging this vulnerability may executed arbitrary SQL commands.
As a result, Web sites may be compromised where a vulnerable version
of Drupal is running, as well as administrative accounts may be
created.
JPCERT/CC tested the vulnerability and verified that arbitrary PHP code
was executed with the privileges of the Web server after logging into
a Drupal administrative account that was created by leveraging this
vulnerability and changing module settings.
For details on the vulnerability, refer to the information provided by
Drupal.
Drupal
SA-CORE-2014-005 - Drupal core - SQL injection
https://www.drupal.org/SA-CORE-2014-005
II. Affected Versions
The following versions are affected by this vulnerability.
- Drupal versions 7.31 and earlier
* Drupal versions 6.x are not affected.
III. Solution
Drupal has released a version of Drupal that addresses this vulnerability.
It is recommended to update to this version after thorough testing.
The following version has addressed the vulnerability.
- Drupal 7.32
** Update: 10/22/2014 Update *****************************************
Drupal has released a patch as a temporary workaround. If there is
difficulty in updating to the fixed version, please consider applying
this patch.
Drupal
https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
**********************************************************************
IV. References
Drupal Japan
Drupal 7.32 released, with a critical vulnerability addressed
http://drupal.jp/node/706
Drupal
Drupal 7.32 released
https://www.drupal.org/drupal-7.32
** Update: 10/22/2014 Update ****************************************
Drupal
SA-CORE-2014-005 - Drupal core - SQL injection
https://www.drupal.org/SA-CORE-2014-005
Drupal
SA-CORE-2014-005-D7.patch
https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch
*********************************************************************
--------------
Revision History
2014-10-21 First Edition
2014-10-22 Updated "Solution" and "References"
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top