Bugs patched in third-party library and Drupal core
Drupal released a brace of security updates on Wednesday, each designed to mitigate critical security vulnerabilities in the content management framework.
The two advisories each address vulnerabilities that pose a remote code execution (RCE) risk. The first (SA-CORE-2019-001) addresses security bugs in a third-party library, while the second (SA-CORE-2019-002) tackles a problem in Drupal’s core code.
Drupal 7.x, 8.5.x, and 8.6.x are all affected and need updating. Left unpatched, an attacker might be able to exploit either vulnerability to push malicious code onto insecure systems.
The first advisory addresses problems in the third-party PEAR Archive_Tar library (CVE-2018-1000888). The security bug creates the possibility of RCE or arbitrary file deletion.
The second vulnerability relates to an RCE vulnerability that exists in PHP’s built-in phar stream wrapper, which triggers when performing file operations on an untrusted phar:// URI.
“Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability,” Drupal developers explained in an advisory.
“This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.”
The type of PHP unserialization vulnerabilities resolved by the update have been the focus of recent security research, including a presentation by Sam Thomas at Black Hat USA last year.
In other CMS news, Joomla installs also need updating because of an unrelated set of security flaws, each related to a cross-site scripting risk.
Developers rate the severity and impact of flaws addressed in all four advisories, released together on Tuesday, as ‘low’ risk. Joomla versions 2.5.0 through 3.9.1 are affected in all four cases.
More details on the bugs and their remediation can be found in Joomla’s security center.