Websites based on the Drupal content management system might be affected by a highly critical vulnerability that could result in remote code execution.
The vulnerability affects websites running Drupal 8 with RESTful Web Services (rest) module enabled if they allow PATCH or POST requests. Websites running Drupal with other services modules enabled, such as JSON:API for Drupal 8 or Services and RESTful Web Services in Drupal 7, are also affected.
The vulnerability has been fixed in Drupal 8.6.10 and Drupal 8.5.11. Drupal 7 does not require updates to its core components, but some of the modules contributed by third-parties do require updates to mitigate the flaw.
“To immediately mitigate the vulnerability, you can disable all web services modules, or configure your web server(s) to not allow PUT/PATCH/POST requests to web services resources,” the Drupal security team said in an advisory. “Note that web services resources may be available on multiple paths depending on the configuration of your server(s). For Drupal 7, resources are for example typically available via paths (clean URLs) and via arguments to the “q” query argument. For Drupal 8, paths may still function when prefixed with index.php/.”
The Drupal CMS is used by many companies to build corporate websites but is also popular with educational organizations and governmental institutions around the world. Previous remote code execution vulnerabilities in Drupal have been exploited by hackers in widespread attacks.
Cisco Patches High-Risk Flaws in HyperFlex, Other Products
Cisco Systems released a new batch of security patches for its products, fixing six high-risk vulnerabilities, including two that can lead to root access.
Cisco’s HyperFlex distributed data storage platform received patches for two vulnerabilities. One is located in the hxterm service and could allow attackers to obtain root privileges after connecting to the vulnerable service with a local non-privileged user.
“A successful exploit could allow the attacker to gain root access to all member nodes of the HyperFlex cluster,” Cisco said in its advisory.
The second HyperFlex vulnerability is a command injection issue in the cluster service manager. This could allow an attacker to connect to the cluster service manager and inject commands into the process that would get executed on the affected host system with root privileges.
Both vulnerabilities affect all Cisco HyperFlex Software releases older than 3.5(2a).
A high-risk vulnerability has also been fixed in the Cisco Prime Collaboration Assurance (PCA) software. The flaw is located in the Quality of Voice Reporting (QOVR) service and could allow attackers to authenticate as a valid user if they know the username.
“A successful exploit could allow the attacker to perform actions with the privileges of the user that is used for access,” Cisco said in an advisory.
Cisco Prime Infrastructure received a fix for a vulnerability in the Identity Services Engine (ISE) integration feature that could allow hackers to perform man-in-the-middle attacks. The issue is located in the validation of the server SSL certificate so attackers could use a crafted certificate to intercept sensitive communications between the Identity Services Engine and Cisco Prime Infrastructure.
The Cisco Network Convergence System 1000 Series also had a directory traversal vulnerability in the TFTP service that could be exploited by unauthenticated attackers to retrieve arbitrary files from the system. Exploitation of this flaw could result in the disclosure of sensitive information.
Cisco has also posted an advisory about the recent vulnerability in runC, which affects container engines such as Docker. The company is in the course of investigating whether a number of its products are affected and has already identified two that are: Cisco Container Platform and Cisco Defense Orchestrator. The list of vulnerable or non-vulnerable products will continue to be updated.
In addition to the high-risk vulnerabilities, Cisco has fixed 11 medium-severity ones in products ranging from Cisco Webex to IP phones and Cisco Firepower 9000 security appliances.