(info) Page non traduite. Anglais uniquement.

What happened?

A critical access bypass vulnerability has been published and fixed by the Drupal Security team on 19th April 2017. A remote attacker can retrieve an access to a Drupal 8.x web site through the RESTful Web Services module using PATCH requests.

The vulnerability has been flagged with the CVE-2017-6919.

Description from Drupal

This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:

  • The site has the RESTful Web Services (rest) module enabled.
  • The site allows PATCH requests.
  • An attacker can get or register a user account on the site.

While we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we have also provided an 8.2.x release to ensure that sites that have not had a chance to update to 8.3.0 can update safely.

Versions affected:

  • Drupal 8 prior to 8.2.8 and 8.3.1.
  • Drupal 7.x is not affected.

Source: https://www.drupal.org/SA-CORE-2017-002

DenyAll Statement

Despite of the lack of information we have on the vulnerability, a rule on the method can be added on DenyAll WAF to mitigate the vulnerability.

DenyAll WAF and i-Suite products

In your ICX configuration, add a rule with a condition on the request method, like in the example presented bellow, to block any request using a PATCH method.

To fully mitigate this flaw, we recommend to upgrade your Drupal application(s) to the version 8.2.8 or 8.3.1.

  • No labels