Buckle up folks, if you're looking for a fantastic example of the need for sound vulnerability management programs, read on (this is about more than Drupal):
The day before Thanksgiving, Drupal released a patch for a critical vulnerability for which exploit code is available. 1/n
Oh, BTW this is a serialization vulnerability. This is bad. It allows for a local file overwrite. In most cases, this means it will result in an RCE.

Did your team notice the vulnerability notification on Wednesday? The day before Thanksgiving? 2/n
I hear the choirs of "we don't use Drupal because CMS are all vulnerable" but that's dumb. Your corp website probably uses a CMS of some variety. "Custom developed" means that nobody else is looking at the code. In most cases, this is security through obscurity. 3/n
But let's address the "CMS are okay, but Drupal is scary so we don't use it" crowd. Is the vulnerability *REALLY* in Drupal?

Oh snap, it isn't. It's in a PHP PEAR library that involves the handling of tar files. Drupal uses the library, noticed the issue, and moved to patch. 4/n
Now we're on to an SCA/SBOM discussion. Do you have applications that use the PEAR Archive_Tar library? If so, it needs an update.

But here's the rub: your vulnerability scanner probably won't find this for you. You need to know what open source libraries are in your apps. 5/n
Because while some in the security community (the few people who noticed anyway) said "another Drupal vulnerability, those clowns" the reality is that maybe instead of calling them clowns we should be calling them heroes. They did the needful. 6/n
Good vulnerability management program managers have been fighting to get SCA and SBOM in place. They're most likely to be ready to respond to this.

They probably saw the vulnerability report a week ago because they knew Archive_Tar mattered to them. 7/n
So here's the situation: a lot of projects make use of PEAR, many of them use Archive_Tar. You're now in a race against attackers to find other places where it's used.

Have a happy Friday and a great weekend. Your adversaries certainly will. /FIN
You can follow @MalwareJake.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.