In a humbling instance of community-driven purpose, the WordPress.org and Drupal Core Security Teams, respectively, have released joint updates to their platforms that address a security vulnerability that could be exploited in either CMS. Users of either platform are encouraged to update to the most secure version of WordPress / Drupal immediately.
As reported by
Mashable, “The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.”
This is the first time that these two project have worked together to release “coordinated joint security releases,” WordPress Security Team member
Andrew Nacin said.
The XML vulnerability was first reported by Nir Goldshlager, a security researcher for Salesforce.com. This isn’t necessarily out of the ordinary. Goldshlager is a member of Salesforce’s product security team — researching security issues is what he specializes in. However, what is out of the ordinary, and what Goldshlager and Salesforce’s security team should be commended for, is the concerted level of cooperation and careful disclosure by all parties involved throughout the entire issue.
Goldshlager’s first step was to contact WordPress and Drupal to notify them of the security vulnerability his team had uncovered. The WordPress and Drupal core security teams then
worked in tandem to create updates for their platforms to fix the issue.
Christina Warren, the writer for Mashable who first reported the issue, also worked closely with Goldshlager in preparing her story. And, exercising an increasingly rare degree of thoughtful community journalism, Warren held onto the story until WordPress and Drupal had security fixes in place.
All of this teamwork resulted in an
article about the “major security vulnerability” being posted
after WordPress and Drupal had released updates to address the issue.
“
Responsible disclosure was the best way to get the issue out in the open, and also fixed,” Warren and Goldshlager wrote. “Notably, the WordPress and Drupal teams worked together on this solution and timed their security releases to coincide with one another. Because the vulnerability targets WordPress’s XML-RPC library file — a file that Drupal uses a derivative of — it made sense for the teams to work together on a patch and release.”
The WordPress Security Update is version 3.9.2, the release announcement is posted
here, and the full release notes can be found
here. If you like to dive deeper into these types of security updates, the WordPress Core Changelog can be viewed
here. The Drupal announcement is posted
here, and the updated secure versions are
7.31 and
6.33.
Again, we recommend that users of either platform update their sites as soon as possible to mitigate potential attacks that target this security vulnerability.
- Fixes a possible but unlikely code execution when processing widgets.
- Prevents information disclosure via XML entity attacks.
- Adds protections against brute attacks against CSRF tokens.
- And additional security hardening.
Once more, we’d like to make a special tip-of-the-hat to everyone involved in the way this security vulnerability was handled — and resolved. This is the way a major security vulnerability should be covered: with careful consideration to the users, and a healthy dose of teamwork between the security teams involved.
As always, if you have any questions about setting up your own site’s updates (be it in WordPress or Drupal), don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.
------
Works Cited / For Further Reading:
Major security vulnerability in WordPress, Drupal could take down websites. (
Mashable)
WordPress and Drupal Teams collaborate for simultaneous security releases. (
Post Status)
Drupal Core security release announcement. (
Drupal.org)