A Public Service Announcement was released on July 30th, 2018, announcing a moderately critical security update to Drupal Core. This update is not part of the normal Drupal Core security releases but was deemed important enough to release the update. A link to the public service announcement can be found here: https://www.drupal.org/psa-2018-07-30
More information on the actual vulnerability was released along with the security updated on August 1, 2018. Based on the feedback and messaging around the issue on other forums such as Acquia.com, it is highly recommended that anyone on Drupal 8.5 install this important update. For organizations not running on the latest version of Drupal 8, it is recommended that you manually upgrade the impacted libraries as soon as possible.
For more information on the Drupal Security Advisories, the Drupal Security Team and Drupal Security Rating Process, check out our previous post here: https://bluetext.com/drupal-8-critical-security-release-march-28th-2018/
Drupal 8 has made significant improvements in standardizing its upgrade path. Gone are the days where an upgrade would require a full site rebuild and migration. While some upgrades are more significant than others, the overall standardization of the upgrade process is welcome.
With minor upgrades beginning with Drupal 8, no functionality will be removed from the core. Any changes to core API’s or functions will be “deprecated” and will be slated for removal during the next major upgrade.
Major upgrades will clear out all of the deprecated functionality that has accumulated in order to start off with a clean slate. With the standardization onto the Symphony framework, there is no plan to rebuild the Drupal core like as was done from versions 6 -> 7 and 7 -> 8.
Great! So upgrading my sites in Drupal 8 should be easy!? Right!???
Answer: Not so much!
The big takeaway is that the Drupal 8 updates made to standardize the upgrade process will make staying up-to-date much easier. That being said, there are still complications with the minor version upgrades. Drupal 8 continues to be in very active development — the community is working hard to integrate critical functionality, such as Media and Workflow, into the Drupal core.
With these core improvements comes a new dilemma: How do I upgrade my website that was built utilizing contributed functionality because the core functionality was not ready at the time? It might sound simple to do, but there are many improvements and alterations made to functionality when it is being integrated into the core. This requires an upgrade path to be built in order to move forward with updating the version of Drupal 8 you are running.
The good news is that Drupal 8 will not release a new core upgrade without an upgrade path for migrating the contributed functionality to the core. The bad news is that this won’t cover customizations or other contributed add-on functionality. This is where the real work comes in and where planning is required.
Here are some high-level questions that will help you plan your core upgrade path:
- What contributed modules that I am using have been moved into the core?
- Which of the patches that I am using has been committed to the core?
- Are there additional dependencies that need to be updated due to core API updates or changes?
- Do I have any custom code that is utilizing deprecated core functions or modules?
Things here can get a little bit more complex based on how your website is built. For example, if you are utilizing features for configuration management you will need to also consider:
- Are my features dependent on configuration from core/contrib that has been updated or removed?
- Do my features contain configuration related to a deprecated module?
While the new upgrade plan for Drupal provides a much clearer path forward, it still requires effort to stay up to date. For many clients, separating a large upgrade into several, smaller chunks is desirable because it is more manageable and allows them to spread the cost of upgrading their entire site over several quarters or years.
If you are not already aware, and, more importantly, have not already upgraded, on March 28, a critical security update was released for all versions of the open source Drupal content management system platform. The vulnerability was rated as a 21/25 in severity based on the NIST Common Misuse Scoring System. The vulnerability was described as “(a) remote code execution vulnerability (that) exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” More information can be found here at this link: https://www.drupal.org/sa-core-2018-002
Drupal Security Advisories
Security advisories are posted on the Drupal.org website under the security advisories page. It is important for anyone who is maintaining a Drupal website to regularly check for security advisories that may apply to their websites in order to keep their sites secure. There are several ways to stay up to date with the most recent information:
- Visit the Drupal Security Advisory Page
- Subscribe to the rss feeds for core, contrib, or public service announcements
- Follow @drupalsecurity on Twitter.
Drupal Security Team
One huge selling point of Drupal as a platform is the large community of users. An integral part of this community is the Drupal Security Team, a volunteer team of professionals across the industry who want to help improve the security of Drupal. The goals of the security team are to:
- Resolve reported security issues in a Security Advisory
- Provide assistance for contributed module maintainers in resolving security issues
- Provide documentation on how to write secure code
- Provide documentation on securing your site
- Help the infrastructure team to keep the drupal.org infrastructure secure
For more information about the Drupal Security Team, what they do, and how they do it, check out their page on Drupal.org.
Drupal Security Rating Process
The security rating of a vulnerability is used to help determine the level of urgency you should take when dealing with a new security advisory. While all security updates should be incorporated, some may not warrant disruption to your business to implement immediately upon release.
Based on the NIST Common Misuse Scoring System (NISTIR 7864) in which all Drupal security advisories are measured, vulnerabilities are given a rating:
- a score between 0 and 4 is considered Not Critical
- 5 to 9 is considered Less Critical
- 10 to 14 is considered Moderately Critical
- 15 to 19 is considered Critical
- 20 to 25 is considered Highly Critical
Each issue should be assessed individually, but, as a basic rule of thumb, any issue rated as Critical or Highly Critical should be taken care of immediately. Less Critical to Moderately Critical should be fit into the current release if possible, and Non Critical issues can be prioritized against a backlog of updates.