Drupal 7 and 8 core highly critical release: PSA-2018-003

On Monday, 23 April 2018 at 16:27 UTC, the Drupal security team issued psa-2018-003 advising of a highly critical security release for Drupal 7 as well as the 8.4.x and 8.5.x branches of Drupal 8. On Wednesday, 25 April 2018, Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004 was released.

At this time, Acquia has implemented platform mitigations based on the core release for the vulnerability announced in SA-CORE-2018-004 that should cover most scenarios, however this should not be seen as a substitute for patching. It is still highly recommended that all customers apply the patched Drupal version to their applications as soon as they are able. Updating your application as soon as the release is available will be the fastest and most effective way to ensure your application is secure.

Remote Administration (RA) Services

For customers with subscriptions that include Remote Administration (RA) services, Acquia began providing security updates immediately following the release on Wednesday, 25 April 2018. However, due to the large volume of applications we update, customers should expect to receive an update within 48 hours of the update being released. We highly recommend you plan to move this update to your production environment as soon as you can.

Attention Drupal 8 users: Remote Administration automation will update your application to the currently supported 8.5.x release. For customers with applications still on the 8.3.x and 8.4.x branches, if you wish to remain on these branches, we highly recommend you implement updates yourself as soon as they are released.

As soon as you receive an update ticket from us, we strongly recommend you test and respond quickly to allow us to update your production application. Acquia will not move forward with updates until they are tested and explicitly approved in the Remote Administration ticket.

Should you receive an update ticket and are already in the process of updating your application, no further action is required. Simply set the ticket to solved.

Reported Issues

We have received reports from customers that the latest Drupal security patch sometimes causes errors with the Domain modules functionality in their applications.

Customers with applications impacted by these errors can implement a workaround by adding an extra require line before the domain include (e.g. near the end of settings.php).

require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
include DRUPAL_ROOT . '/sites/all/modules/contrib/domain/settings.inc';

Updates

This article will be updated as new information becomes available. We recommend following the Acquia Support Twitter account for notification of updates to this article.

Last updated: {30 April 2018 / 12:23PM PDT}  

Contact supportStill need assistance? Contact Acquia Support