Drupal

last person joined: 16 days ago 

If you work in an organization using Drupal, or you work with nonprofits using Drupal, this is the group for you. If you work in a nonprofit using Drupal, or you work with nonprofits using Drupal, this is the group for you! Stuck on something? Have a question? Drupal experts are on hand to answer questions! You don't need to be a member of NTEN to participate in the monthly calls — feel free to invite colleagues and spread the word.

Security alert - Drupal core

  • 1.  Security alert - Drupal core

    Posted Apr 03, 2018 08:58

    Hi all,

    I'm pretty much assuming that everyone has heard about this already, but I'm surprised it hasn't been mentioned in the group. So just in case there are those who are maintaining Drupal sites who haven't seen the news...

     

    A highly critical security bug has been found in Drupal core a few weeks ago and a fix was released last week on March 28. It's very strongly recommended to deal with this asap due to the severity of the bug.

     

    Details here: https://www.drupal.org/sa-core-2018-002

     

    This issue affects versions 6, 7, and 8, and fixes are available for all those versions.

     

    Thanks,

    Martin

     


    Martin Hansen
    Team Lead, Web Services
    519.725.7875 x2120 | 888.817.3048


    http://www.peaceworks.ca/sites/default/files/sig/pwsqlogo.png

    PeaceWorks™ Technology Solutions
    101 - 554 Parkside Drive,
    Waterloo ON  N2L 5Z4
    www.peaceworks.ca

     

    Mission driven technology solutions

    http://www.peaceworks.ca/sites/default/files/sig/facebook.png

    http://www.peaceworks.ca/sites/default/files/sig/bcorp.png

    http://www.peaceworks.ca/sites/default/files/sig/linkedin.png

    http://www.peaceworks.ca/sites/default/files/sig/rss.png

    This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.

    Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.

     



  • 2.  RE: Security alert - Drupal core

    Posted Apr 04, 2018 09:27
    Hi Martin,

    Thank you for bringing this up. I, too, encourage everyone to patch ASAP. If you're an administrator and know your way around Drush, it's a very simple process.

    I know that in some non-profits, updating comes second to everything else (due to time, resources, knowledge), however this is definitely an issue that any organization, big or small, should throw a couple hours of labor toward.

    Corey

    ------------------------------
    Corey Brown
    Web Resource Coordinator
    CLINIC
    Silver Spring, MD
    ------------------------------



  • 3.  RE: Security alert - Drupal core

    Posted Apr 04, 2018 10:01

    Thanks for bringing this up. Our web developers made the update right away but I was surprised that Acquia, our hosting company, didn't send out a notification.

    Mary



    ------------------------------
    Mary Gaughan
    FSG
    Boston, MA
    ------------------------------



  • 4.  RE: Security alert - Drupal core

    Posted Apr 05, 2018 16:56
    It is extremely important for this update to be done. What makes this update so important is that the severity of it decided to extend support out to Drupal 6 which has reached its end of life about two years ago.

    Thankfully this update required no downtime and contained no database updates. Because updating sometimes is considered a back seat item BUT it is extremely important to do this update. The update can usually take on average about 5-30 minutes

    If you need advice, help or direction - please let me know. We are here to help, no strings attached!

    Being hacked is a really hard thing to undo and can cost way more time/money than updating

    Happy Drupalling!


    ------------------------------
    Anne Stefanyk
    CEO & Drupal/WordPress Strategist
    Kanopi Studios
    San Francisco, CA
    ------------------------------



  • 5.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 13:20
    Hi all, I'm not a Drupal developer, but am unexpectedly finding myself managing our Drupal developer in an odd and sensitive situation. I'll try to explain without getting into the politics and trust issues. Our developer did not bring this patch to our attention, but actually my husband did (also not a Drupal developer, but he's in tech infrastructure). We submitted a ticket to our developer and he confirmed that the patch was automatically applied and modules updated by the core infrastructure servers and now the 2nd phase is to manually check that the patch was applied, check the drush logs, and test the vulnerability.

    For this, our developer is quoting 4 hours per site (we have 5 sites - one main communications site plus 4 program-specific sites (there is a logic to this, but I'll spare you). So this update could end up costing a couple thousand dollars. So far the developer has only given us the number of hours required and not the rate he'll be charging us.

    Could anyone here confirm if this is legit based on the information provided? I don't necessarily think we have a whole lot of choice in the matter, but if there additional questions I should be asking or documentation to request, I'd appreciate the guidance. We do pay a monthly retainer, but apparently this work isn't included in that fee.

    ------------------------------
    Courtney Calvin
    Senior Communications Officer
    Eurasia Foundation
    Washington, DC
    ------------------------------



  • 6.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 13:38
    I would think that kind of price needs justification.

    The security update did not require a database update (just a replacement of the Drupal core files) so unless your developer has made changes to core, there should be minimal impact (it took me about 5-10 minutes on each site I manage, billed to clients at about 15-20 minutes because I did it on a test first, then live, and including the email saying it was done).

    ------------------------------
    Kathryn Carruthers
    Freelance webmaster
    Ottawa, ON Canada
    ------------------------------



  • 7.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 13:47
    It took 5-10 minutes for our Drupal 8 website.

    --
    Sharon Keast
    Southwest Neighborhoods, Inc.
    7688 SW Capitol Hwy.

    9:30am - 2:30pm, M-W-F 
    (503) 823-4592







  • 8.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 13:52
    I agree with Kathryn and Sharon. If someone was in an active a support contract with us, this update was covered under the usual security updates bucket of time. It didn't take a lot of extra time. And this one was a non-negotiable update. 

    Good luck, Courtney!

    Johanna


    Johanna Bates
    Technical Director, Principal
    Twitter: @hanabel





  • 9.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 14:08
    Leaving aside the issue of who's responsibility it is to monitor security updates (there should be a well-articulated plan for monitoring regular security releases, and maintenance plans should be clear as to when a update is done without client approval. This would have certainly been one of those cases IMO).

    The update was simple, but there are factors that could complicate things:

     - Is the site hosted in such a way that updates are painless? Some hosts make upstream patching really easy, some don't. Some development setups are good in this regard and some aren't.

    - Was your site already up to date, or did it require a series of patches to get you to the current security release?

    - Has this developer been working with this site or is it a new project that requires setup?

    - What does your QA cycle look like - do you or the developer require basic sanity tests with each release? Normally we do this before a release goes into production, but in this case - because of the severity - we went to production first and then performed QA (which by that time we know could be abbreviated because of the nature of the patch).

    In the end, our time spent was pretty similar to what others report - a team of 5 people updated about 30 sites in the space of an hour. But all of those sites were in tip top shape and ready for the patch, hosted in environments where we knew the update would be simple. Most of our time was spent waiting for resource availability (composer, git.drupal.org, Pantheon hosting, etc) to be able to grab the patch and doing the followup QA.





  • 10.  RE: Security alert - Drupal core

    Posted Apr 06, 2018 14:20
    Yes, there are some deeper systemic issues with how this contract was structured and written. It's a long story. Our developer was on staff for 6-7 years, then let go and brought back as a consultant so he could focus on his own consulting side business. We are exploring options for going forward, but have some immediate needs that need to be met.

    ------------------------------
    Courtney Calvin
    Senior Communications Officer
    Eurasia Foundation
    Washington, DC
    ------------------------------



  • 11.  RE: Security alert - Drupal core

    Posted Apr 09, 2018 09:17

    Hi Courtney, I would agree with the others' comments.

     

    However, the estimate could be justified, I think it's just unclear what work they are including. To just apply the security update (whether you are doing a drupal core version update, or just applying a patch to the files) should be on the order of 10-30 minutes, including connecting to the server, doing the work, reporting back to you, etc.

     

    But there may be other work that the developer is including in their estimate. They may be updating all your modules. You also listed "testing", I'm not sure what would be covered here and how extensive. Maybe there are other complications too, that we're not aware of.

     

    It seems a little odd that this wouldn't be included in your retainer. This update is not any more complicated that any other version update in drupal (in fact it's quite a simple update, as others said). The only difference is the security urgency around it. So there could be rationale for this to be "extra work" if it forces the developer to deviate from a previously agreed maintenance schedule. But the work itself is not unusual otherwise.

     

    If I were you, my next step would be to ask for more clarity on what specifically is included in that estimate. If you do get more info there and would like further feedback feel free to reply back. :)

     

    Martin

     


    Martin Hansen
    Team Lead, Web Services
    519.725.7875 x2120 | 888.817.3048


    http://www.peaceworks.ca/sites/default/files/sig/pwsqlogo.png

    PeaceWorks™ Technology Solutions
    101 - 554 Parkside Drive,
    Waterloo ON  N2L 5Z4
    www.peaceworks.ca

     

    Mission driven technology solutions

    http://www.peaceworks.ca/sites/default/files/sig/facebook.png

    http://www.peaceworks.ca/sites/default/files/sig/bcorp.png

    http://www.peaceworks.ca/sites/default/files/sig/linkedin.png

    http://www.peaceworks.ca/sites/default/files/sig/rss.png

    This communication is intended for only the party to whom it is addressed and may contain information that is privileged or confidential. Any other distribution, copying or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return email and delete this message from your computer.

    Please note: If you do not wish to receive promotional emails from us, please reply to this message indicating your preference and we will refrain from sending further promotional emails.

     






  • 12.  RE: Security alert - Drupal core

    Posted Apr 09, 2018 10:35
    Adam's post really gets to the broad reality behind the update. For some, it's a 15 minute patch. However, if the site was significantly out of date, or the environment is tricky to access, or there are strict deployment or QA guidelines, or anything goes wrong with the version control system, or any of a number of client specific issues arise, then the time will increase.

    If these are the only sites someone works on and they completely control the environments and everything is kept up to date and there is an airtight deployment system in place and everyone required in the decision making process is on board, well... you get the idea.

    ------------------------------
    Pierre Berryer
    Tech Lead
    Beaconfire RED
    Arlington, VA
    ------------------------------



  • 13.  RE: Security alert - Drupal core

    Posted Apr 23, 2018 15:40
    Hello, all. Another such security update is coming out on Wednesday.

    Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003.

    Best,
    Stephen Musgrave
    Partner
    Capellic.com


    ------------------------------
    Stephen Musgrave
    Partner
    Capellic, LLC
    Jersey City, NJ
    ------------------------------



  • 14.  RE: Security alert - Drupal core

    Posted May 16, 2018 13:12
    We did not patch this in time, and got hacked - Drupalgeddon 2 they are calling it.
    It's a nightmare, we tried to scan and remove all malicious code, but at this point we are planning to just rebuild from backup on a new server because we may have missed some script somewhere.
    Apparently they are mining for bitcoin.
    Anyone else have experience with something like this??

    ------------------------------
    Jenka Soderberg
    Web/New Media Coordinator
    KBOO Community Radio
    Portland, OR
    ------------------------------



  • 15.  RE: Security alert - Drupal core

    Posted May 16, 2018 13:20

    Hi Becky,

    I'm sorry to hear that your site got hacked. :-( It really is hard to clean up a site and server after getting hacked because it's difficult to tell what things the attackers left there. In some cases, people have reported that the attackers added a cronjob to re-infect the site in case it got repaired!

    I'm on the Drupal Security Team, and so I have a lot of experience with this issue, but from the other side. �� If there's anything you think the Security Team could do to improve in situations like this, please let me know! And I'm going to try and be on the call tomorrow.

    Also, I'm not trying to turn this into a sales pitch, but my company (myDropWizard.com) offers a service to apply any Drupal security updates the same day they are released! We got both the recent security releases deployed to all our customers right away and none of them got hacked.

    Thanks,
    David


    -
    David Snopek





  • 16.  RE: Security alert - Drupal core

    Posted May 16, 2018 13:38
    Hi Becky,
    I am sorry you got hacked! If it makes you feel any better, I did, too. All my clients' sites were patched immediately, both times, but I had a personal, tiny, side-project site that I totally forgot about. And it was hacked in the first couple days. My take-aways:

    1. If you've been hacked via one of the last 2 Drupalgeddons, restoring from code and database backups, and then patching before relaunch, is likely your safest and best way forward. And you're doing that, it sounds like. That's great. 

    2. It doesn't matter if your site is a tiny nothing site--there are bots scanning for un-patched Drupal instances, so any un-patched site is vulnerable. 

    3. Put on your oxygen mask before attempting to help others! Have a trusted support provider that patches immediately, have your site code in Git, and keep nightly database backups. I was able to restore my personal side-project site from Git and backups and then patch it and re-launch it, just as you're doing. 

    Talk to you more tomorrow, and I'm sorry again that you're going thought that headache.  

    Johanna

    Johanna Bates
    Technical Director, Principal
    Twitter: @hanabel





  • 17.  RE: Security alert - Drupal core

    Posted May 16, 2018 14:55
    Thanks

    Unfortunately the site that got hacked is not a tiny nothing site, it is our main website for the radio station!! As such, restoring from backup is a big undertaking. We have close to 3 TB of audio files in our archives.

    -jenka

    ------------------------------
    Jenka Soderberg
    Web/New Media Coordinator
    KBOO Community Radio
    Portland, OR
    ------------------------------



  • 18.  RE: Security alert - Drupal core

    Posted May 17, 2018 13:09
    Websites come in 3 sizes:
    1. Sites for big organizations with their own IT shops.
    2. Sites for small organizations that pay for development and only have resources to do minor maintenance or configuration.
    3. Small, low-budget sites, using inside or volunteer talent, possibly using packages like WordPress or even raw HTML.

    Big companies with IT shops can do whatever they want, because they plan for risk and are responsible for cleaning up messes.
    Companies that rely on shops or individuals can easily degrade over time into a legacy mess.

    I have three suggestions for those with small budget and minimal resources:

    1. When building or rebuilding a site, stick to simple web design standards.
    --Avoid heavy theming or custom development that may turn out later to have unfixed bugs.
    --Stick with standards that are well maintained by the software owners or open source community.
    --Train your own people to apply regular maintenance updates promptly.

    2. Always keep your site content well organized, ready to rebuild at a moment's notice.
    --Clean away old content every month. ("Take out the trash")
    --Prepare and display content in standard, organized formats--using fields when possible to tag properties, dates, people, etc.
    --Save all new content in a clean format so that it can be easily uploaded again if it is ever corrupted. (I.e., be able to isolate the content from the overall database backups that may get corrupted.)

    3. If you have a clean set of content, it becomes easy to start over with a simple, new site using newer standards than to try to rebuild an old site. Often it can take a lot of time for a developer to dig through what someone else did in their own way before they can "fix" the problems that are bothering your site.

    ------------------------------
    Ted Spencer
    Executive Director
    Voters Pledge
    ------------------------------