On Wednesday we received an announcement that there were a number of contributed Drupal modules that had Remote code execution vulnerabilities.
According to the Drupal security team this would only affect around 1000-10,000 Drupal sites, this accounts for around 1% of all Drupal sites. From this we knew it wouldn't affect significant contrib modules, like Views, as they're fairly standard on most Drupal installations.
At 5pm BST yesterday, the following contrib module announcements were released:
- RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
- Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039
- Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038
As an ITIL accredited service desk, we were primed and ready to go in advance of the release, having alerted clients of the planned release and arranged additional support from our infrastructure and development team should they be required.
Shortly after the release our Drupal support team got to work, quickly establishing that around 15% of our clients sites were affected. The most common module that had to be updated was Coder. Although this module wasn't actually enabled on any production site, it only has to be in the docroot to be exploited. Within an hour all client sites had been patched and secured.
Once again, our support team handled the security vulnerabilities brilliantly. Go team!