HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Drupal

>

Releases

>

7.32

Drupal Release: 7.32

Tag Name: 7.32

Release Date: 10/15/2014

View Release
Drupal LogoDrupal

Highly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.

Open SourceDeveloper-FriendlyEnterprise

TL;DR

Drupal 7.32 addresses a critical SQL injection vulnerability

This security release fixes a highly critical SQL injection vulnerability (SA-CORE-2014-005) that affects all Drupal 7 sites. This vulnerability allows attackers to execute arbitrary SQL queries against the Drupal database, potentially leading to data theft, site defacement, or complete site compromise. All Drupal 7 site owners should update immediately to version 7.32.

Highlight of the Release

    • Fixed critical SQL injection vulnerability (SA-CORE-2014-005)
    • Added security tests to prevent similar vulnerabilities in the future
    • All Drupal 7 sites should update immediately regardless of configuration

Migration Guide

No migration steps are required for this security update. Site administrators should:

  1. Update to Drupal 7.32 immediately
  2. Check for signs of compromise if the site was not updated promptly after the security advisory was released
  3. Consider changing all passwords and session identifiers if compromise is suspected
  4. Review logs for unusual activity

For sites that may have been compromised before patching, refer to the Drupal security team's recommendations for post-compromise recovery procedures.

Upgrade Recommendations

Immediate Update Required

Upgrade Priority: CRITICAL

All Drupal 7 sites should be updated to version 7.32 immediately. This security update addresses a highly critical vulnerability that can be exploited by remote attackers without authentication.

Upgrade Steps:

  1. Back up your database and site files
  2. Update your site to Drupal 7.32 using your preferred method (Drush, manual update, etc.)
  3. Run the database update script (update.php)
  4. Clear all caches
  5. Check your site for proper functionality

If you cannot update immediately, consider temporarily taking your site offline until you can apply the update.

Note: If your site was not updated promptly after the security advisory was released, you should assume your site may have been compromised and take appropriate remediation steps.

Bug Fixes

Critical SQL Injection Vulnerability Fixed

This release fixes a highly critical SQL injection vulnerability in Drupal 7's database abstraction API. The vulnerability allowed attackers to execute arbitrary SQL queries against the Drupal database, potentially leading to:

  • Unauthorized access to sensitive data
  • Creation of unauthorized administrator accounts
  • Modification or deletion of database content
  • Complete site compromise

The vulnerability affects all Drupal 7 sites regardless of the database driver being used.

New Features

No new features were added in this security release. Drupal 7.32 is focused entirely on addressing the critical SQL injection vulnerability identified in SA-CORE-2014-005.

Security Updates

SA-CORE-2014-005: SQL Injection Vulnerability

This security release fixes a critical vulnerability in Drupal 7's database abstraction API that could allow attackers to execute arbitrary SQL queries against the Drupal database.

Vulnerability details:

  • Risk level: Highly Critical
  • CVSS score: 25/25 (Critical)
  • Vulnerability: SQL Injection
  • Affected versions: All Drupal 7.x versions prior to 7.32

The vulnerability exists in the database abstraction layer and affects all sites using Drupal 7, regardless of the database driver being used. Attackers do not need to have any valid account on the system to exploit this vulnerability.

Additional security tests have been added to prevent similar vulnerabilities in the future.

Performance Improvements

No specific performance improvements were included in this release. Drupal 7.32 is a security-focused release that addresses the critical SQL injection vulnerability.

Impact Summary

This security release addresses one of the most serious vulnerabilities ever discovered in Drupal 7. The SQL injection vulnerability (SA-CORE-2014-005) allows attackers to execute arbitrary SQL queries against the Drupal database without requiring authentication or any special site configuration.

The vulnerability affects all Drupal 7 sites regardless of configuration or installed modules. Exploitation of this vulnerability could lead to complete site compromise, including:

  1. Unauthorized access to all data in the database
  2. Creation of unauthorized administrator accounts
  3. Modification or deletion of content
  4. Installation of backdoors for persistent access

Due to the severity of this vulnerability, all Drupal 7 site owners should update immediately to version 7.32. Sites that were not updated promptly after the security advisory was released should be considered potentially compromised and undergo security auditing.

The Drupal security team has added tests to prevent similar vulnerabilities in the future. This release demonstrates the project's commitment to addressing security issues quickly and transparently.

Statistics:

File Changed4
Line Additions34
Line Deletions2
Line Changes36
Total Commits3

User Affected:

  • Must update their Drupal 7 installations immediately to patch the critical SQL injection vulnerability
  • Should audit their sites for potential compromise if they were not patched promptly
  • Need to follow the security advisory recommendations for post-update actions

Contributors:

DavidRothstein