Moderately critical security update for Drupal 7 & 8 cores - SA-CORE-2019-007

Drupal Security Team has announced a moderately critical security advisory for both Drupal 7 & 8 cores today on May 8, 2019 with the following details:

Project: Drupal core
Date: 2019-May-08
Security risk: Moderately critical 14∕25
Vulnerability: Third-party libraries

Description

Drupal core uses the third-party Phar Stream Wrapper component. This library has released a security update which impacts Drupal core. As described in TYPO3-PSA-2019-007:

It has been discovered that the protection against insecure deserialization can be by-passed in Phar Stream Wrapper component. Insecure deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application. The current implementation is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.

Severity

The final severity assessment has to be done in the component making use of the Phar Stream Wrapper package and depends on the interceptor strategy that has been used. In case file invocations on user submitted paths are allowed at least insecure deserialization is possible. Depending on the specific implementation in the using components this could lead to higher impact scores concerning confidentiality, integrity and availability.

Solution

Install the latest version:

• If you are using Drupal 8.7, update to Drupal 8.7.1
• If you are using Drupal 8.6 or earlier, update to Drupal 8.6.16.
• If you are using Drupal 7, update to Drupal 7.67.

Versions of Drupal 8 prior to 8.6.x are end-of-life and do not receive security coverage.