Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Drupal Users Had Seven Hours to Patch or Be Hacked

    By
    Sean Michael Kerner
    -
    October 31, 2014
    Share
    Facebook
    Twitter
    Linkedin
      software flaw

      Whenever a security exploit is fixed, users are advised to patch quickly to reduce the risk of attack. In the case of a recent open-source Drupal content management system (CMS) vulnerability, the window in which users needed to patch before being exploited has been quantified as being only seven hours.

      On Oct. 15, Drupal issued its SA-CORE-2014-005 advisory, warning of a highly critical SQL injection vulnerability that is also identified as CVE-2014-3704. Drupal is a widely deployed CMS that is used by the White House and the U.S. Federal Communications Commission (FCC), among other notable organizations.

      On Oct. 29, the Drupal project issued a follow-up warning that it was aware of public attacks against Drupal sites that had not patched for CVE-2014-3704.

      “You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” the Drupal project warned.

      How the Drupal project was able to define the window of vulnerability is thanks in no small part to its community of hosting vendors. Greg Knaddison, director of engineering at Card.com and a member of the Drupal Security Team, explained to eWEEK that several companies that provide hosting focused on Drupal decided to create platform-level protection against this issue that not only mitigated the attacks, but also recorded data about them.

      “While the rate of sites upgrading for this release has been better than the historic rate, it’s still not ideal,” Knaddison said. “The statement is perhaps stern, but also realistic. Our goal is to encourage people to take action so that these compromised sites are cleaned up as soon as possible.”

      While patching is what the Drupal project would prefer all administrators do, there is another mitigation that can help protect unpatched sites.

      “A well crafted WAF (Web Application Firewall) rule should be able to prevent this attack, and indeed CloudFlare had a rule running within hours of the release,” Knaddison said. “They do still recommend upgrading sites as soon as possible, which I think is prudent.”

      For the CVE-2014-3704 vulnerability, a Drupal administrator must go into the CMS and update, as there isn’t currently an automated update mechanism for the core application. Knaddison explained that Drupal has a system for installing and updating extensions (including modules and themes) but not for the core itself.

      “It does require a site admin to actually log in and click a few buttons,” he said. “Some Drupal-focused hosting companies have tools that make updating the core a similarly simple login-click-click-click operation.”

      Knaddison added that some Drupal hosting companies also offer more automated updates. The idea of automated CMS updates is one that is already being used by other projects. The open-source WordPress blogging and CMS platform introduced automatic updates for security issues starting with the WordPress 3.7 release in October 2013.

      Speaking about Drupal in particular, Knaddison noted that there’s a risk to automated update systems in that they require configurations of the Webserver that put the system at risk in other situations.

      “Given that trade-off, there has always been lukewarm support for the idea of in-site and/or automated upgrades within the Drupal community,” he said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×