If you are not already aware, and, more importantly, have not already upgraded, on March 28, a critical security update was released for all versions of the open source Drupal content management system platform. The vulnerability was rated as a 21/25 in severity based on the NIST Common Misuse Scoring System. The vulnerability was described as “(a) remote code execution vulnerability (that) exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” More information can be found here at this link: https://www.drupal.org/sa-core-2018-002
Drupal Security Advisories
Security advisories are posted on the Drupal.org website under the security advisories page. It is important for anyone who is maintaining a Drupal website to regularly check for security advisories that may apply to their websites in order to keep their sites secure. There are several ways to stay up to date with the most recent information:
- Visit the Drupal Security Advisory Page
- Subscribe to the rss feeds for core, contrib, or public service announcements
- Follow @drupalsecurity on Twitter.
Drupal Security Team
One huge selling point of Drupal as a platform is the large community of users. An integral part of this community is the Drupal Security Team, a volunteer team of professionals across the industry who want to help improve the security of Drupal. The goals of the security team are to:
- Resolve reported security issues in a Security Advisory
- Provide assistance for contributed module maintainers in resolving security issues
- Provide documentation on how to write secure code
- Provide documentation on securing your site
- Help the infrastructure team to keep the drupal.org infrastructure secure
For more information about the Drupal Security Team, what they do, and how they do it, check out their page on Drupal.org.
Drupal Security Rating Process
The security rating of a vulnerability is used to help determine the level of urgency you should take when dealing with a new security advisory. While all security updates should be incorporated, some may not warrant disruption to your business to implement immediately upon release.
Based on the NIST Common Misuse Scoring System (NISTIR 7864) in which all Drupal security advisories are measured, vulnerabilities are given a rating:
- a score between 0 and 4 is considered Not Critical
- 5 to 9 is considered Less Critical
- 10 to 14 is considered Moderately Critical
- 15 to 19 is considered Critical
- 20 to 25 is considered Highly Critical
Each issue should be assessed individually, but, as a basic rule of thumb, any issue rated as Critical or Highly Critical should be taken care of immediately. Less Critical to Moderately Critical should be fit into the current release if possible, and Non Critical issues can be prioritized against a backlog of updates.