![]() ![]() In response to this latest vulnerability, we've taken two important steps: Starting from our read-only hosts and our read-only containers, through our auditable and reproducible build-chain, and static-analysis based protective block. Platform.sh has many security layers that make attacks such as this much harder than on comparable services. Platform.sh is pleased to announce all Drupal sites hosted on all our regions and all our plans are automatically safe from this attack. ![]() This is as critical as the notorious “DrupaGeddon” episode from three and a half years ago. If you are not on Platform.sh or another provider that has implemented a mitigation your site will be hacked. You can expect automated attacks to appear within hours at most. ![]() This is serious and trivially exploitable. If your Drupal site is not hosted on Platform.sh we encourage you to immediately update all your Drupal sites to 8.5.1 / 7.58 or to take your site offline. The same issue is present in Backdrop CMS installations prior to 1.9.3. The vulnerability (also referred to as CVE-2108-7600) affects the vast majority of Drupal 6.x, 7.x and 8.x sites and allows arbitrary remote code execution that allow anonymous remote users to take full control of any affected Drupal site prior to 8.5.1 / 8.4.9 / 8.3.8 / 7.58. If you are running on Platform.sh: You're safe and can continue reading. We're serious upgrade first and ask questions later. If you're not running on Platform.sh, please stop reading this post and go update your Drupal site to version 8.5.1 / 8.4.9 / 8.3.8 / 7.58 right now. That allowed us to gather our technical team and make sure we can develop and deploy a mitigation to all our clients immediately as the issue is made known. It was announced a week ago PSA-2018-001. An hour ago the SA-CORE-2018-002 critical Drupal vulnerability was disclosed. ![]()
0 Comments
Leave a Reply. |