Drupal has issued a pair of updates to address two security vulnerabilities in its online publishing platform. The vulns are a little esoteric, and will not affect most sites, but it's good to patch just in case you later add functionality that can be exploited.
Both Drupal.org and US-CERT are advising admins to test and install the two Drupal core fixes, both concerning flaws that can be exploited to perform remote-code execution. As their bug ID numbers would suggest, the updates are the first fixes for Drupal core this year, and they were found by the company's own security team.
The first update, 2019-001, addresses a PEAR Archive_Tar library vulnerability. The security hole, assigned CVE-2018-1000888, can be exploited by a malicious tar file to achieve remote code execution via a deserialization blunder when extracting the archive. Presumably if your website doesn't handle tar archives, then you should be fine, though it's best to install the fix anyway.
2019-001 updates the version of PEAR Archive_Tar used in Drupal core to a non-vulnerable build. Deleting data remotely is also possible.
The second fix, 2019-002, addresses a vulnerability in the way Drupal core handles
phar:// URIs in file operations. A vulnerable script would have to pass a maliciously crafted string from a user to a file operation to trigger the bug and achieve remote code execution.
Drupal drisputes dreport of widespread wide-open websites – whoaREAD MORE
While the patch is considered critical, not every Drupal instance will be vulnerable to attack: most webapps won't chuck user input into file calls without stripping out anything that looks like a protocol like
"Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability," the advisory reads. "This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration."
In addition to updating the phar stream wrapper, Drupal is opting to bump the .phar extension to "dangerous" status, meaning all files uploaded with it will be converted to text to prevent it being accidentally executed.
Admins are being advised to double check that the update has been successfully installed, as there have been multiple reports that updates over the Drush shell have been failing due to errors. ®