What You Need to Know About the Deadly Drupalgeddon2 Bug

Drupal, one of the world’s largest open-source web content management platforms has been struck with a bad news this week by a nasty bug called “Drupalgeddon2”. If left unchecked, this will leave millions of Drupal website highly compromised to attackers. In this article, we shall look at what Drupalgeddon2 is all about and what can you do to secure your Drupal website against the latest vulnerability.

What is Drupalgeddon2?

The vulnerability was first discovered by Jasper Mattsson, an employee of Drupal security auditing firm Druid.

The latest bug is called Drupalgeddon2  (identified as CVE-2018-7600) after the original Drupalgeddon security bug (CVE-2014-3704, SQL injection, severity 25/25) disclosed in 2014 that led to numerous Drupal sites getting hacked for years afterward.

Drupal warns that attackers can exploit the flaw through several avenues. Any visitor, regardless of privileges (authenticated or non-authenticated), can exploit the flaw by visiting an affected site and gain access to, modify and delete private data. Theoretically, the hacking happens through remote code execution due to a missing input validation.

How Deadly Is This Bug?

Well, the latest security flaw is so serious in which Drupal has given the bug a ‘highly critical’ rating with a risk score of 21 out of 25 under the NIST Common Misuse Scoring System.

No attacks have been detected yet, but the Drupal development team and experts believe they will commence in short order.

At the time of writing, the Drupalgeddon2 security flaw affects Drupal 6, 7 and 8 core versions.

Precaution Measures for Drupal Website Owners:

As a safety measure to prevent your website from this vulnerability, it is highly recommended to patch up your Drupal sites with the latest patch. If you are running Drupal 7.X, you need to patch up using Drupal 7.58. If you are running Drupal 8.5.X, then you are required to patch up using Drupal 8.5.1.  The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.

If you are unavailable to patch up immediately, you may want to replace your Drupal site with a static HTML page so that the vulnerable Drupal site would not serve the vulnerable URLs to visitors.

Meanwhile, all staging and in-dev Drupal installations should be updated or taken down completely until the security patch can be applied.

If you wish to know more details linked to Drupalgeddon2, please head over to https://www.drupal.org/security