On 19 February 2019, the Drupal security team issued DRUPAL-PSA-2019-02-19 advising of a highly critical security release for Drupal 8 core and Drupal 7 modules.
It is advised that customers set aside time to plan for a core upgrade immediately following the release on 20 February 2019 between 18:00:00 - 22:00:00 UTC (1:00pm - 5:00pm EST/ 10:00am - 2:00pm PST).
For customers with Remote Administration (RA) services, Acquia will begin providing security updates immediately following the release on February 20. However, due to the large volume of applications we update, customers should expect to receive an update within 48 hours of the update being released. We highly recommend you plan to move this update to your production environment as soon as you can.
As soon as you receive an update ticket from us we strongly recommend you test and respond as soon as possible to update your production application. Acquia will not move forward with updates until they are tested and explicitly approved in the RA ticket.
Should you receive an update ticket and are already in the process of updating your application, no further action is required. Simply set the ticket to solved.
Frequently Asked Questions (FAQ)
Q: Has Acquia implemented a platform-level mitigation for this Drupal core vulnerability?
No. Due to the nature of this vulnerability, Acquia cannot provide a platform-level mitigation for this vulnerability. As a result, we strongly urge you to complete the recommended updating your production application as soon as possible.
Q: What do I need to update in Drupal 8?
We recommend you implement the following updates for Drupal 8 applications:
Drupal core to 8.6.10 or 8.5.11: https://www.drupal.org/sa-core-2019-003
JSON:API to 8.x-1.25 or if you use the 2.x branch 8.x-2.3: https://www.drupal.org/sa-contrib-2019-019
Metatag to 8.x-1.8: https://www.drupal.org/sa-contrib-2019-021
Video to 8.x-1.4: https://www.drupal.org/sa-contrib-2019-022
Paragraphs to 8.x-1.6: https://www.drupal.org/sa-contrib-2019-023
TMGMT to 8.x-1.7: https://www.drupal.org/sa-contrib-2019-024
Font Awesome Icons to 8.x-2.12: https://www.drupal.org/sa-contrib-2019-025
Q: What do I need to update in Drupal 7?
We recommend you implement the following updates for Drupal 7 applications:
RESTful Web Services to 7.x-2.8: https://www.drupal.org/sa-contrib-2019-018
Additionally, if your application employs any web services module such as RESTWS, Services, RESTful, or any similar contributed or custom module, we recommend the following update:
Link to 7.x-1.6 https://www.drupal.org/sa-contrib-2019-020
If no such module is enabled, this advisory does not affect your application.
Q: If my application has WAF layer protection, like Acquia Cloud Edge Protect, what do I need to do?
In the original security announcement, we indicated this could be mitigated by blocking POST, PATCH and PUT requests to web services resources, there is now a new way to exploit this using GET requests.
Per https://www.drupal.org/psa-2019-02-22, the best mitigation is:
- If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
- If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
- Be sure to install any available security updates for contributed projects after updating Drupal core.
This article will be updated as new information becomes available.
Last updated: 2019-02-25 - 020:14:00 UTC