Drupalgeddon: critical Drupal vulnerability (PSA-2014-003)

Patch and update now

On October 29, Drupal published a critical security advisory that affects most Drupal websites. There’s a good chance that you’re affected if you don’t automatically update your installation of Drupal.

What happened

Behind the scenes, Drupal discovered a vulnerability that let attackers create backdoors on Drupal sites. To fix the issue, they released version 7.32 on October 15. Within hours, they saw automated attacks begin to compromise websites that were not patched or running the latest version.

What you need to do

Short version: Restore your site to its state prior to 10/15 and then upgrade to Drupal 7.32.

The longer version: According to Drupal, if you didn’t update to the latest version before 11 p.m. (UTC) October 15, you should assume your site was compromised and you’ll need restore an uncompromised backup of your website and then upgrade to version 7.32 (or later) immediately.

If you have a Drupal 7 website, you need to take action immediately to fix this issue. The likelihood that your site is vulnerable is nearly 100 percent unless you’ve already fixed the issue yourself.

However, simply updating to Drupal 7.32 will not protect your website. Just applying the patch will not protect your website. These will prevent further compromises but won’t do anything to remove backdoors already in place. In this case, because there might be no trace of an attack, you need to restore your website to a pre-October 15 version, upgrade, and apply the patch.

Need help?

Check out our instructions on how restore and update your site.

You can read more about the vulnerability, Drupal’s response, and how it might affect users at The Register. There’s also a “how to recover” flowchart and conversation here.

Image by: tanakawho via Compfight cc