Description:

Drupal released security updates to fix the vulnerability resided in the Drupal Core and its modules. An attacker could send a specially crafted PUT/PATCH/POST request to a vulnerable system to exploit the vulnerability.

Report indicates that active exploitation against the vulnerability (CVE-2019-6340) has been observed. Users are advised to take immediate action to patch your affected systems and update all affected contributed modules to mitigate the elevated risk of cyber attacks.

Affected Systems:

• Drupal 8.5.x, 8.6.x
• Drupal 7.x

Please note that no security updates will be provided for the versions of Drupal 8 prior to 8.5.x. Users should upgrade the Drupal to a supported branch or arrange migrating to other supported technology.

Impact:

A successful attack could lead to remote code execution on an affected system.

Recommendation:

The product vendor has released patches to address the issues.

• Drupal 8.6.10
  https://www.drupal.org/project/drupal/releases/8.6.10
  
  
• Drupal 8.5.11
  https://www.drupal.org/project/drupal/releases/8.5.11
  
  
• For Drupal 7.x, only contributed modules are required to be updated
  https://www.drupal.org/security/contrib
  
  

More Information:

https://thehackernews.com/2019/02/drupal-hacking-exploit.html
https://www.imperva.com/blog/latest-drupal-rce-flaw-used-by-cryptocurrency-miners-and-other-attackers/
https://www.drupal.org/sa-core-2019-003
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6340