Drupal – Critical Arbitrary PHP code execution Vulnerability
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
This is a different issue than SA-CORE-2019-012. Similar configuration changes may mitigate the problem until you are able to patch.Solution:
Install the latest version:
- If you are using Drupal 9.0, update to Drupal 9.0.9
- If you are using Drupal 8.9, update to Drupal 8.9.10
- If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
- If you are using Drupal 7, update to Drupal 7.75
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.