Why the Drupal/WordPress Security Vulnerability Matters to You — Even If Your Site Isn't Built In Either!

August 8, 2014

“DrupalThe latest major website security vulnerability to be discovered can impact an entire website or server instantly, making websites unresponsive or unavailable. Although the vulnerability targets websites built in Drupal and WordPress, it has the potential to take down all websites on a shared server.

Salesforce.com’s Nir Goldshlager, a security researcher, discovered the vulnerability, which uses an XML Quadratic Blowup Attack to max out a server’s memory reserves and leave it incapable of fulfilling requests.

Goldshlager notified Drupal and WordPress before disclosing the risk to the public, allowing both teams to create security patches and to protect against further exploit. The news became public on August 6, 2014.

Considering that Drupal and WordPress are two of the most widely used content management systems, the potential risks and hazards of this vulnerability are great — WordPress alone is reported to power more than half of all websites on the Internet using a Content Management System.

Even websites not built in Drupal or WordPress can be affected, and are at risk if housed on a shared server with unpatched websites.

When the vulnerability is exploited, the attack can seize 100 percent of the server’s available RAM and processor cycles, thereby rendering it unable to serve web pages. It effectively leaves all websites on the server inaccessible.

None of the sites we host were compromised, and our team has completed patching all sites on our servers to WordPress version 3.9.2, and all Drupal sites to versions 7.31 or 6.33. Providing prompt service to our clients is imperative, and the team worked quickly to ensure that all sites hosted with us were patched.

Affected installations include:

  • Drupal core 7.x versions prior to 7.31
  • Drupal core 6.x versions prior to 6.33
  • Wordpress versions prior to 3.9.2

What You Need To Do

WordPress/Drupal site hosted through DesignHammer: No action needed. We've completed patches and our servers are secure.

Website not built in Drupal/WordPress, and hosted through DesignHammer: Take no action. All servers secured.

WordPress/Drupal site not hosted through DesignHammer: Update software immediately: WordPress 3.9.2 Security Release and Drupal Core Update. *See note below

Website not built in Drupal/WordPress, and not hosted through DesignHammer: Contact your hosting provider to ensure any Drupal and WordPress sites that could be hosted on your server have been updated to the latest version.

*Note: Even if your own website is patched, it can still be affected by an unpatched website through a shared-host server. Any unpatched sites can be taken down by the vulnerability, and disable the entire server including your website.

If you have any questions about the vulnerability, or are hosted on a server with vulnerable Drupal or WordPress websites, please contact us.