Patch

Drupal Core Critical Remote Code Execution Vulnerability - SA-CORE-2018-004

Updated

On April 25th, 2018, Drupal released a security advisory describing a critical remote code execution vulnerability which affects multiple subsystems of Drupal core versions 7.x and 8.x. The advisory specifies that the vulnerability is related to the previously posted highly critical remote code execution vulnerability[1] posted on March 28, 2018, but did not provide any additional details.
 
Due to the severity of this vulnerability, the IT Security Office recommends that Drupal sites are updated as soon as reasonably possible to the 7.59 or 8.5.3 supported versions, or that the available patch is applied temporarily, until Drupal can be upgraded. For more information about this vulnerability, visit: https://www.drupal.org/sa-core-2018-004. If you suspect that your site has already been compromised, contact the IT Security Office by emailing security@ucla.edu.
 
[1] https://www.it.ucla.edu/security/advisories/drupal-core-highly-critical-remote-code-execution-vulnerability