WordPress News
Drupal Security Warning: Critical Patch Coming Wednesday for Core Vulnerability
Drupal warns of a highly critical vulnerability in Drupal core scoring 20/25 on severity scales. Patches release Wednesday, May 20, and the security team urges immediate installation as exploits could emerge within hours.
If you run a Drupal website, you need to mark your calendar for Wednesday afternoon. The organization behind the popular open source content management system just issued an urgent warning about a highly critical vulnerability in Drupal core.
This is not a drill. The Drupal Security Team says you should clear your schedule Wednesday and be ready to patch immediately when the fix drops.
What We Know About the Drupal Vulnerability
The Drupal team is playing their cards close to the vest right now. They are not sharing specific details about what is broken or how it could be exploited. However, they will release both the information and the patch simultaneously on Wednesday, May 20, between 1700 and 2100 UTC.
What makes this particularly worrying is the severity score. Using NIST’s standard scoring methodology, this vulnerability scored 20 out of a possible 25 points. That is extremely serious.
According to Drupal’s own severity rating system, this bug has some nasty characteristics. First, it is trivially easy to exploit. Second, an attacker does not need any special privileges to use it. Third, it could expose all non-public data on your site. Finally, attackers could potentially modify or delete whatever they want.
Why This Matters for Your Website
The Drupal Security Team issued a stark warning in their advisory. They said exploits could be developed within hours or days of the patch release. Therefore, you need to act fast once Wednesday arrives.
Your site could become a target almost immediately after the details become public. Malicious actors will be studying the patch to reverse-engineer the vulnerability. Consequently, any delay in updating could leave your site exposed.
Which Drupal Versions Are Affected
The vulnerability affects Drupal core, which is the bare-bones developer version. However, an update from the Drupal Security Team clarifies that Drupal CMS installations might also be vulnerable since they include Core components.
Security releases will be published for all currently supported core branches. These include versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x. Additionally, Drupal is releasing patches for the unsupported 11.1.x and 10.4.x branches.
Users still running ancient versions 8.9 and 9.5 will get patches too, given the severity of this issue. Nevertheless, these patches require manual installation and might introduce other bugs. Drupal strongly recommends upgrading to a supported version instead.
Good news for Drupal 7 users: you are not affected by this vulnerability.
Not All Configurations Are Vulnerable
There is one small silver lining here. The vulnerability does not affect every single Drupal installation. It only impacts sites using what Drupal calls “uncommon module configurations.”
This is why Drupal recommends everyone set aside time Wednesday to determine if their site is vulnerable. You will need to check your specific configuration once the details are released.
What You Should Do Right Now
Do not wait until Wednesday to prepare. Drupal recommends you update to the latest supported release before the security patch drops. This way, you can address any other upgrade issues beforehand.
The actual patch installation should be quick. According to Drupal, it takes “minutes or maybe seconds depending on the site.” Furthermore, you likely will not need to take your site offline to install it.
If you use Drupal Steward, the paid web application firewall service, you have some protection against known attack vectors. However, Drupal still recommends you update your core installation. Additional exploit methods could emerge that bypass the WAF protection.
The Risk of Staying on Old Versions
Sites still running Drupal 8 or 9 face additional risks beyond this single vulnerability. These versions contain numerous other previously disclosed security vulnerabilities. Neither Drupal Steward nor the emergency patch files will address those older issues.
If you are still on version 8.9 or 9.5, this critical vulnerability should be your wake-up call. Upgrading to a supported branch protects you from both this new threat and all those other unpatched security holes.
Mark Your Calendar for Wednesday
Clear your schedule for Wednesday afternoon, May 20. Be ready to act between 1700 and 2100 UTC when Drupal releases the patch and vulnerability details.
Check whether your site configuration is affected. If it is, install the patch immediately. Do not be the person who waits until next week and ends up with a compromised website.
The Drupal Security Team is treating this seriously enough to issue advance warning and release patches for unsupported versions. You should treat it with the same urgency. Your website’s security depends on it.
Key Takeaways
- However, they will release both the information and the patch simultaneously on Wednesday, May 20, between 1700 and 2100 UTC.What makes this particularly worrying is the severity score.
- Using NIST's standard scoring methodology, this vulnerability scored 20 out of a possible 25 points.
- These include versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x.
- Neither Drupal Steward nor the emergency patch files will address those older issues.If you are still on version 8.9 or 9.5, this critical vulnerability should be your wake-up call.
- Be ready to act between 1700 and 2100 UTC when Drupal releases the patch and vulnerability details.Check whether your site configuration is affected.
Original Source: www.theregister.com
Sources
- Clear your calendar, Drupal user: You have a critically urgent patch to install — www.theregister.com
