The Drupal team have released an official notice to warn site administrators about a current Drupal security vulnerability and its impending patch.
Today, 19th February 2019, Drupal has released an official warning in order to alert site administrators of an impending security release for Drupal 8 which will be released tomorrow, 20th February 2019.
According to Drupal's PSA, the security vulnerability currently affects Drupal 8.5.x and 8.6.x.
Drupal also acknowledges that while Drupal 7 core is unaffected, certain contributed modules may require updating to eliminate any vulnerability. As of present, Drupal has not released a list of affected modules, but this can be expected after the security fix has been publically released.
Certain Drupal 8 sites are at greater risk of exploitation due to how they are configured. Drupal deems that the configuration which greatens the risk of vulnerability is uncommon.
They describe uncommon as "only uncommon module configurations are exploitable".
For now, it's important to treat both Drupal 7 and 8 websites as currently vulnerable.
According to their official risk calculator, Drupal notes that this vulnerability would theoretically require no authentication by a potential attacker, which means that anonymous users could possibly exploit the vulnerability. Drupal also notes that there is a potential for all confidential information to be accessed, and that all data could theoretically be modified or deleted by an attacker.
Details of the security vulnerability itself have not yet been publicized by the Drupal team, but will be made available to the general public tomorrow, between 18:00 and 22:00 [UTC].
Currently, we don't know the nature of the Drupal security flaw and how it may affect websites running the CMS. Drupal has not yet released this information.
It can be expected that this information will be available to the general public tomorrow, but until the security patch has been released by Drupal it is impossible to know.
Once Drupal has specified the nature of the vulnerability, it will be easier to determine which sites are at increased risk of exploitation.
Drupal urges site administrators to remain available tomorrow between 18:00 and 22:00 [UTC] to apply the necessary updates which will be released during this time window.
We will provide an official update to this blog post when we know more.
In the meantime, we recommend that site administrators remain vigilant and alert.
We also recommend making the necessary backups of any websites running either Drupal 7 or Drupal 8. This includes all core files, module files, site files, and of course, the database.
If you are concerned and would like to speak to one of our Drupal security experts, don't hesitate to get in touch.
—Your Cocoon Team