Drupal Release: 8.3.9

TL;DR

Drupal 8.3.9 Security Release

This is a critical security release addressing a highly critical remote code execution vulnerability (SA-CORE-2018-002). All Drupal 8 sites are strongly urged to update immediately as this patch fixes a severe security issue that could allow attackers to compromise your site. This release contains no new features or non-security bug fixes.

Highlight of the Release

• Critical security fix for remote code execution vulnerability (SA-CORE-2018-002)
• Coordinated security release with multiple contributors
• Affects all Drupal 8 sites regardless of configuration

Migration Guide

No migration steps are required for this update. This is a direct security patch that does not change APIs or functionality.

To update:

1. Back up your site's files and database
2. Update Drupal core to version 8.3.9 using your preferred method:
   • Via Composer: composer update drupal/core --with-dependencies
   • Via Drush: drush up drupal
   • Manual update: Download the new release and replace your existing core files

After updating, clear caches and run database updates if prompted.

Upgrade Recommendations

Immediate Update Strongly Recommended

This update is CRITICAL and should be applied immediately to all Drupal 8 sites. The security vulnerability addressed in this release is highly critical and could allow attackers to completely compromise your site.

Upgrade Priority: Highest - Update immediately

If you cannot update immediately, consider taking your site offline until you can apply the update. Sites that remain unpatched are at severe risk of compromise.

If your site was exposed to the internet while vulnerable (before updating), you should assume it may have been compromised and take appropriate remediation steps, including:

• Examining logs for suspicious activity
• Checking for unauthorized user accounts or changed permissions
• Scanning for malicious code or backdoors
• Restoring from a known good backup if compromise is suspected

Bug Fixes

Security Vulnerability Fix

This release addresses a critical remote code execution vulnerability in Drupal 8's core. The security team has not provided detailed information about the specific bug to prevent exploitation on unpatched sites, which is standard practice for critical security issues.

New Features

This security release does not contain any new features. It is focused exclusively on addressing the critical security vulnerability identified as SA-CORE-2018-002.

Security Updates

SA-CORE-2018-002: Remote Code Execution

This security release fixes a highly critical vulnerability that could allow attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The security team has classified this as a highly critical vulnerability.

The security issue affects all Drupal 8 installations. The vulnerability is related to how Drupal handles certain types of data, potentially allowing attackers to execute arbitrary code on the server.

This fix was developed through collaboration between multiple security team members and contributors including Jasu_M, samuel.mortenson, David_Rothstein, xjm, mlhess, larowlan, pwolanin, alexpott, dsnopek, Pere Orga, cashwilliams, dawehner, tim.plunkett, and drumm.

Performance Improvements

No specific performance improvements are included in this release. This update focuses exclusively on the critical security fix.

Impact Summary

This security release addresses a highly critical remote code execution vulnerability that affects all Drupal 8 sites. The impact of this vulnerability is severe, as it could allow attackers to completely compromise affected sites, potentially gaining full control of the server, accessing sensitive data, or defacing the website.

The security team has taken the unusual step of not disclosing full details of the vulnerability to prevent exploitation of unpatched sites. This indicates the serious nature of the issue and the ease with which it could potentially be exploited.

Sites that are not promptly updated are at significant risk. The security community has observed that vulnerabilities of this nature are often exploited within hours of disclosure, with automated attacks targeting unpatched sites at scale.

This release demonstrates the Drupal security team's commitment to addressing critical vulnerabilities quickly and the strength of the community response, with multiple contributors collaborating on the fix.