Drupal 7.34 fixes multiple vulnerabilities, potential for ‘CPU and memory exhaustion’

The Drupal.org Team recently released an update to address multiple vulnerabilities in the Drupal core platform.
 
The Drupal Security Team rates this security risk as “Moderately Critical,” unlike the SQL injection bug addressed in version 7.32 that was rated as “Highly Critical.” Still, users are “strongly recommended” to upgrade to the newest version of the platform.
 
The first security issue addressed is a vulnerability that allowed for session hijacking. If used, an attacker could craft a special request that would give accesses to another user’s session, “allowing an attacker to hijack a random session,” the Drupal Security release states.
 
The session hijacking vulnerability is present in both 7.x and 6.x installations of Drupal.
 
The 7.34 update also includes fixes for an issue that could lead to a potential denial of service attack.
 
From the release notes:
“Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).”
 
According to Threatpost, “The vulnerability exposes user names in addition to threatening the availability of a Drupal site.”
 
The denial of service vulnerability is particularly worrying, as it can be exploited by anonymous users to crash a website.
 
Versions of the security update were released for both 7.x and 6.x installations of Drupal. For 7.x Drupal installations, the security fix is found in Drupal 7.34, and for 6.x installations, the team released Drupal 6.34.
 
For more information on Drupal 7.34 and 6.34, you can read the official release from the Drupal.org team here. If you would like to dive deeper into this security update, you can see a full list of all bug fixes in the stable 7.x branch in the git commit log here, or the 6.x branch here. Full details of the Drupal SA-CORE-2014-006 security advisory can be read here.
 
As always, if you have any questions about setting up your own site’s updates, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle your site upgrade, we’ll be happy to help.
 
 
------
Works Cited / For Further Reading:
Drupal patches denial of service vulnerability. (Threatpost)
Drupal version 7.34 release announcement. (Drupal.org)
Drupal SA-CORE-2014-006 security advisory. (Drupal.org)
Drupal core project page. (Drupal.org)
Drupal 7.34 release notes. (Drupal.org)
Drupal 6.34 release notes. (Drupal.org)
Drupal version 7.x git commit log. (Drupalcode.org)
Drupal version 6.x git commit log. (Drupalcode.org)