Don’t wait, update your codebase now!
by Stéphane Corlosquet
TL;DR: a security update for Drupal 7 and Drupal 6 was just released. All sites are affected and sites that are not updated immediately may experience Denial of Service (DoS) attacks leading to unexpected downtime.
Today on Aug 6th, 2014, the Drupal Security team released a security update for Drupal core which affects all Drupal sites in the wild regardless of their versions and configurations. The vulnerability was reported to both Wordpress and Drupal security teams who coordinated the release today.
Drupal has included an XML-RPC server since its inception in 2001 in a file called xmlrpc.php. Security researchers have discovered that the PHP XML parser used by XML-RPC was prone to XML bomb attacks which can lead to Denial of Service by either CPU or memory exhaustion, or pushing MySQL to reach too many open connections. It is recommended that everyone update all of their Drupal sites to Drupal 7.31 or 6.33 following the instructions of SA-CORE-2014-004.
In this blog post, we want to illustrate how Acquia products can help site owners in urgent situations like this, where a code update needs to be rolled out as soon as possible. The effort required will vary depending on which service you are using for hosting your site.
Remote Administration (least effort)
If you are signed up with the Remote Administration service, you will receive a notification regarding the Security Advisory release. Based on your Remote Administration preferences, you may also receive an update ticket when a secure branch is ready for your team to test (Full Deploy) on your RA Environment as illustrated below, or informing you of recommended updates to your code (Inform Only). Read more on implementing security updates.
The process for Acquia Cloud is more self service in that it will require you to:
1. download Drupal 7.31 or Drupal 6.33 in your local site codebase. This can easily be done with Drush if you have a working Drupal install locally. Drush will know which version to download for you with:
drush upc drupal
Beware that if you are not already on the most recent version of Drupal core, the update will include more than just the security fix. If you cannot use Drush, download and extract Drupal core from https://www.drupal.org/project/drupal and update your codebase.
2. commit the updated code to your codebase (git or svn). If you are on git for example, you can run:
git add --all .
git status # should show a few .inc files and lots of .info files
git commit -m "Security update for Drupal 7.31 - SA-CORE-2014-004"
git tag 1.3.5 -m "Tagging security update for Drupal 7.31"
git push origin 1.3.5 master
Alternatively if you are not ready for Drupal 7.31 or Drupal 6.33, you can add an .htaccess rule to prevent its access as a temporary mitigation. This rule should be added near the top, before any rewrites:
Deny from all
Alternatively, you can also remove the xmlrpc.php file located in the Drupal root directory. Note however that in either case above, if you are using a module like services which includes its own XML-RPC endpoint and uses Drupal core XML-RPC library, you will still need to apply the security update.
3. Deploy the new tag to your staging environment for testing. Test.
4. Finally, deploy to production using drag and drop as shown below. There is no need to run update.php or clear the caches for this release.
Acquia Cloud Site Factory
If you use the Acquia Cloud Site Factory SaaS or SaaS+ tier, we’ve already gone ahead and blocked xmlrpc.php for all of your sites so there’s nothing you need to do.
If you use the Site Factory PaaS tier, we have notified you of the availability of a new version of the Gardens distribution containing the xmlrpc.php fix. Merge and deploy the new Gardens distribution code as soon as possible. If you are using your own Drupal distribution with Site Factory, apply the SA-CORE-2014-004 fix to your codebase as soon as possible.
Once you merge your code, you can deploy the updated Drupal code through the Site Factory Site update page: