edit-icon download-icon

[Vulnerability notice] CVE-2017-6920: Remote code execution vulnerability in Drupal

Last Updated: Apr 08, 2018

On June 21, 2017, Drupal officially released a vulnerability numbered CVE-2017-6920, which was rated Critical. The remote code execution vulnerability results from incorrect processing of DrupalCore’s YAML parser. It affects 8.x DrupalCore.

Drupal is an open-source content management framework (CMF) written in the PHP language. It consists of a content management system (CMS) and a PHP development framework.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-6920

Vulnerability name

Drupal remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

When DrupalCore’s YAML parser handles insecure PHP objects, the vulnerability allows an attacker to remotely run code and perform high-risk operations.

Condition and method of exploitation

Remote exploitation

Affected scope

DrupalCore 8.x

Vulnerability detection

View the Drupal kernel version. The vulnerability exists if the version is 8.x and earlier than 8.3.4; otherwise, the vulnerability does not exist.

How to fix or mitigate

  • Upgrade Drupal to the official version 8.3.4 or later.

  • As a temporary measure, update the decode function in the Drupal file /core/lib/Drupal/Component/Serialization/YamlPecl.php.

    1. public static function decode($raw) {
    2. static $init;
    3. if (!isset($init)) {
    4. // We never want to unserialize!php/object.
    5. ini_set('yaml.decode_php', 0);
    6. $init = TRUE;}
    7. // yaml_parse() will error with an emptyvalue.
    8. if (!trim($raw)) {
    9. return NULL;
    10. }
    11. }
  • We recommend that you do not open the administration backend to prevent direct brute force or web attacks against the backend. We also recommend that you regularly upgrade to the latest program version to avoid vulnerabilities.

Reference

[1]. https://www.drupal.org/SA-CORE-2017-003

Thank you! We've received your feedback.