Drupal is the latest platform to issue an emergency patch for a critical vulnerability. The issue (CVE-2018-7600) allows an attacker to execute code remotely with little effort. That’s bad. The Drupal team has been quick to respond and has already issued a patch and a mitigation for users unable to immediately patch. In addition to a standard security notice, their team has written an in-depth FAQ. [Editors note: Trend Micro customers can get more information on how to use various security controls to help mitigate the attack on the support page for the this issue.]
Despite the fantastic name of “Drupalgeddon 2: Electric Hashaloo” (kudos to Scott Arciszewski), there is no reason to panic. Mistakes happen and in a framework as complex as a CMS, security issues are going to make it to production. The good news is that projects that have a significant user base like Drupal (which currently holds about 4.3% of the market for content management systems) have gotten really good at identifying issues, fixing them, and getting patches out to the user base. This will not be the last critical vulnerability to be announced this year. Or next year. Or the year after that. When these announcements come to light, you and your team need to take a pragmatic view work through the following process;
This is a process that is going to be used a lot. Last year there were 10,059 vulnerabilities reported that had a remote execution component. Not all of these vulnerabilities are going to affect your organization (that number includes all reports) but even if one half of a percent apply (0.5%), you’re going to run through this process once a week!
In order to handle that volume, the only reasonable solution is to automate. Otherwise, you’re going to be diverting significant IT resources to simply keeping the lights on and the doors locked. The good news? Technologies like orchestration tools (Ansible, Chef, Puppet, etc.), virtualization platforms, and the cloud have made it easier than ever to automate significant portions of your IT deployments. A failure to automate leads to a shift in internal discussions around patching. Those discussions move from evaluating the risk on it’s own to the workload increase that a patch entails. You can adjust that equation with mitigations but the focus should remain on the risks of the issues, not the risk to project timelines because of a failure to modernize the deployment process for patches. Teams should be able to evaluate, mitigate, and fix vulnerabilities on a regular basis without it impacting their main work goals.
Time & Again
Almost every security issue that is reported ends with the same permanent solution: patch. An automated, efficient testing and patching process is the most effective way to improve your organizations security posture. The goal of security controls (like intrusion prevention) is to help protect against new attacks while the root cause is identified and fixed. An organization with strong mitigations in place and an efficient patching process will deal with issues like CVE-2018-7600 quickly and easily. That allows those teams to focus on helping achieve the business goals or at the very least, to sit back and enjoy the witty name, “Drupalgeddon 2: Electric Hashaloo.” How are you handling issues like this? What challenges have you found trying to get a smooth, automated patching process in place? Let me know on Twitter (where I’m @marknca) or on LinkedIn.