Update: Our action points against Drupal remote code execution PSA-2016–001

The Drupal Security team announced the release of a patch for a highly critical remote code execution vulnerability (PSA-2016–001). The release of this patch is timed to Wednesday, July 13th, 2016 16:00 UTC. The public service announcement states that several modules are affected.

Currently, it’s not yet known which modules are affected. It’s crucial to update all sites which have those modules installed.

With SA-CORE-2014–005 back in 2014 we observed that after about 7 hours after the initial release of the security patch, the first attacks were running against sites. As time is always a factor when dealing with highly critical fixes, we already organized our team of engineers to be ready as soon as the patches are released.

The amazee.io team assessed the situation and outlined following mitigation actions:

  1. If it is possible to mitigate the threat via built-in amazee.io security measures, we will protect customer sites against the vulnerability. The customer will be informed that the site hosted at amazee.io is vulnerable and provide instructions and a due date to fix their sites against the vulnerability
  2. If we cannot mitigate the attack vector via amazee.io infrastructure and a customer site is affected, we will password-protect the customer site to ensure the security and integrity of the site. The password-protection will be removed as soon as the site has been patched by the client and the vulnerability is closed.

Update 16:00 UTC:

The Drupal Security Team released three security patches, where two of them are Highly Critical, one of them is Critical.

1. Highly Critical: RESTWS https://www.drupal.org/node/2765567 
We started to search through all sites to see which of them have this module installed, we suggest to immediately update the module in case it is installed.

2. Highly Critical: Coder https://www.drupal.org/node/2765575 
This module has a highly critical security whole which allows to execute PHP code when visiting a PHP File within the modules directory. 
At amazee.io we do not allow execution of PHP files except the main index.php so this issue is not critical for all sites hosted on amazee.io 
We anyway started a search through all sites to see which of them have the module installed.

3. Critical: Webform Multiple File Upload https://www.drupal.org/node/2765573 
We started to search through all sites to see which of them have this module installed, we suggest to immediately update the module in case it is installed.

Update 16:55 UTC:

We conducted a search through all sites hosted on amazee.io: 
- found one which had the module “webform_multifile” installed, this website has been patched on production 
- found multiple sites that have the coder module existing (remember it just needs to exist, not specifically being installed). As amazee.io infrastructure protects such attacks, there is no urgent need to update this module. We informed the clients that have this modules existing.

With that all sites on amazee.io are secure and no further urgent actions are needed.