Why a critical security hole is actually not so bad? (UPDATE: drupalgeddon2 weaponized)

 

UPDATE on 14. April 2018: Now there is a automated attacks active after Checkpoint released post two days ago how the vulnerability works.

 

First (before the problem)

If you have a Drupal site and this is the first time you hear about the critical vulnerability published on March 28 2018 read the two last chapters immediately.

During the last week in the Drupal community around the world there has been a hustle about the security hole which was named DrupalGeddon2 [1] [2]. This vulnerability was "highly critical" and got many people scared - unnecessary. This post tries to explain when the vulnerability will become a problem? When the vulnerability is actually not a problem and how to handle the situation right. 

Drupal project has a own dedicated security team [3] which will take care of security issues like how to patch the found issues right and deal with the public announcement about it. A week before the publication [4] there was a announcement that a vulnerability has been found and a patch will be released on March 28th between 18:00-19:30 UTC.

In other words that is trying to tell all the site owners or people responsible about the updates that "Be ready to patch your site when we make the announcement. IMMEDIATELY!"

TIP Solution and many other companies who do things right reserved time from their calendars for 28.-29.3.2018 to patch the sites.

Day or couple days before the announcement

When the official announcement about the vulnerability was made it was known that the patch will be for core and sites will be patched pretty easily. So there won't be a lot of downtime.

We told the site owners about the update and the sites will be patched between 0-48 hours after the announcement. 

All our clients have a maintenance contract which makes it to our responsibility to keep on eye the announcements and sites updated without any additional costs.

Day of publication 

The cores were easy to patch (thanks to composer workflow and doing the development right) so all the sites were safely patched after a few hours. The process took a little longer than expected because we brought the sites up to date including the modules.

When the sites were patched the site owners were again informed.

Present moment (five days after the announcement)

Before the publication there was some talk that there might be attacks after a few hours. At the moment there is still no information if any sites has been compromised. We'll see...

Sometimes hackers share their knowledge how to exploit the vulnerability (PoC) and sometimes they just keep the knowledge to their selves that they can crack sites without that anyone notices. Therefore we can never be sure if there are attacks available or on going right now so the sites should be patched anyway.

How do you know if you site is patched?

Go to https://yourwebsite.com/admin/reports/status and check that your site's core that it is at least 7.58 or 8.5.1. Or alternatively someone has patched your site manually.

If you are not sure contact your site's administrator immediately!

Summary

You don't need to worry about the security updates if you are ready to patch the site as soon as there is a release. This is why a found security patch (by the white hats) is a good thing. Finding vulnerabilities and patching them is a natural part of every software project. 

Thank you security team for handle the case right!

 

[1] https://www.drupal.org/sa-core-2018-002

[2] https://www.drupal.org/PSA-2014-003

[3] https://www.drupal.org/drupal-security-team

[4] https://www.drupal.org/psa-2018-001

 

CEO, Full stack developer
Tipi Koivisto

Add new comment