Main Content

Drupal 7 Security Issue: Don't Panic

Today, October 15, 2014, at 12:02 pm, the Drupal Security team released a security advisory for Drupal 7.x Core: SA-CORE-2014-005 - Drupal core - SQL injection

There is a fix that needs to be applied to your site(s)


Description of Security Issue:

The security issue is a SQL Injection vulnerability in the database abstraction API. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution.

Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. 


The Drupal Security team has classified the Security risk as "Highly Critical": 20/25 (Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
This is near the highest possible security risk level; the security fix should be applied immediately. Although there are currently no known exploits being widely used at this time, Drupal 7 sites are exposed to this vulnerability until they are updated.

Who is Impacted:

All sites with Drupal core 7.x versions prior to 7.32 are vulnerable.

Promet's Response:

If you are enrolled in a Monthly Support contract with Promet Source, unless you have told us otherwise, we have or are in the process of updating your site. 
If not, at your request, we can install the latest version of Drupal core on to your development environment and push to production. If there are no errors found with the install of the latest version of Drupal, we estimate the install and deployment to take 2 hours.
If we encounter any issues or are unable to install the latest version of Drupal core, alternatively we can apply a patch to Drupal's file to fix the vulnerability until such time as you are able to completely upgrade to Drupal 7.32.

Further Reading:

More information is available on the security release's FAQ page.

Please note: We strongly advise that ALL of our clients (and anyone using Drupal 7) keep their site(s) secure by installing this update.