Drupal Partners Blogs

How To Secure Your Drupal Website From Drupalgeddon 2?

How To Secure Your Drupal Website From Drupalgeddon 2?

What Is Drupalgeddon2?

Drupal developers have discovered a vulnerability that could take over any Drupal website with URL access. The threat is called as Drupalgeddon2 with an official identifier CVE-2018-7600. As the name suggests, this is second iteration, the first being reported in 2014. Currently, if your website CMS runs on Drupal 6, 7 0r 8, then you must be concerned with this threat. Reports suggest that there are over one million sites that could get affected if security patch is not updated.

How Critical Is Drupalgeddon2?

With a NIST Common Misuse Scoring System risk score of 21/25, the security threat is highly critical. The threat allows modification or deletion of system data and default/common module configurations can also be exploited.

All non-public data is accessible and there is no special privilege required to exploit the site, which means it is open and highly vulnerable. Any attacker can easily leverage the vulnerability and modify or exploit the data.

Which Drupal Versions Are Affected?

All Drupal sites running on Drupal 6, Drupal 7, Drupal 8.3.9 or 8.4.6 are under this highly critical security breach. If your website is running on Drupal 8.0, 8.1 or 8.2, in order to integrate the security patch, you have to update to Drupal 8.3.9 or 8.4.6.

Do We Have A Fix?

Thankfully, YES! We have a solution. Basically, the security patch has a remote code execution that prevents attackers from exploiting multiple attack vectors on the Drupal site.

Fix For Drupal 8 & 7

Update your Drupal 8 to Drupal 8.3.9 or 8.4.6 and then upgrade to 8.5.x. If you are unable to upgrade immediately, try applying this patch. For Drupal 7 websites, upgrade to Drupal 7.58. If you are unable to upgrade, apply this patch.

Fix For Drupal 6

For Drupal 6 websites, security patches are available. Please check Drupal 6 Long Term Support.

Ask us for help

If you are not sure how to update, contact us. At DrupalPartners, we are ready to fully extend our complete support to update your site and prevent from the security attack. We ensure your site is updated with this latest security patch preventing attacker from accessing any of your data and other configuration exploitations.

Started in 2009, DrupalPartners are passionate contributors to Drupal and its open source community. With a strong team has gained experience from doing projects for various industries including government, retail, eCommerce, non-profits, higher education, to name a few.

We continue to provide Drupal services such as building Drupal-based websites, migrating sites from Drupal 6 to 7 and Drupal 7 to 8 and more. When you hire DrupalPartners, expect nothing less than perfection.