Vulnerability in Drupal 8 through httpoxy and Guzzle library (PSA-2016-002)
Drupal a popular content management system used by hundreds of thousands of websites. Today there will be a critical update to the software's latest iteration - Drupal 8, or rather a 3rd party library it uses centrally.
UPDATE: The security issue has now been revealed and is related to the httpoxy vulnerability when using FastCGI with PHP-PM or HHVM. Specifically the 3rd party extension that was vulnerable was Guzzle, but due to the severity all functionalities that might suffer from httpoxy should be considered.
The patch comes following last week's remote code execution in Drupal 7 modules, but this time the vulnerability is limited only to Drupal 8. Users of the tool should be ready to update their installations once the security patch for PSA-2016-002 is released later today on Monday June 18th.
The Drupal security team has been made aware of the existing vunerability beforehand and will be making the update as soon as the 3rd party library has been patched. The security team will not reveal any details of the vulnerability in the component beforehand, but it does state that the upgrade is recommended for all users of Drupal version 8.x.
The tool has had it's share of issues, one of which ultimately lead to the Panama Papers leak at Mossack Fonseca. Drupal 8 offers open interfaces for decoupling from the CMS using rich front ends with technologies like Angular or React. But if your API focused implementation exposes the REST API directly, then even decoupled implementations will be vulnerable to this and other similar vulnerabilities in the future.
Tweet