Security in information systems is a constant practice that has as its first recommendation to keep the system updated to apply patches to known vulnerabilities. This is a joint effort between the solution provider and the client.
How secure is Drupal?
Drupal is a very secure system that also has a security team in charge of helping to keep the system safe, it regularly makes announcements about security improvements so that users can apply the improvements, thanks to the fact that it is free software and Open source, these updates are available to be applied by those who manage the site, usually implementers such as SeeD who have experience in the procedure and can help identify possible effects on development.
The security team has an action protocol for highly critical events that allows it to act preventively to close security gaps proactively and without putting stability at risk. This protocol indicates that it is announced sufficiently in advance to the community about the patch and the date on which it will be available so that preventive actions can be taken, this without revealing in this preparation period the details of the vulnerability to be closed.
In this particular case, the Drupal security team has informed that on March 28, 2018 between 18:00 and 19:30 UTC, they will release a security patch for version 7 and 8 of the Drupal core, which is highly recommended to be applied as soon as possible. The Drupal security team will be responsible for repairing the vulnerability in the system and the security release notices will appear on the security notices page of Drupal.org.
The following is recommended:
Sites on 8.2.x should upgrade to version 8.3.x in order to apply the security fix. Sites on 8.3.x should immediately upgrade to version 8.3.x as provided in the security advisory, and then plan to upgrade to the latest security release in 8.5.x. Sites on 8.4.x should immediately upgrade to version 8.4.x as provided in the security advisory, and then plan to upgrade to the latest security release in 8.5.x. Sites on 7.x or 8.5.x can upgrade immediately when the security advisory is released using the normal procedure.
At SeeD EM we have a protocol for dealing with our clients that has been activated and is in the process of being implemented to resolve the problem on the scheduled date.
If you have a site in Drupal 7.x or 8.x, we recommend taking the necessary actions to apply the patch on March 28 as soon as possible. If you want to rely on our experience, you can also contact us to provide you with specialized service.
This update will in no way affect the performance and smooth operation of the Drupal platform in your company, but it will help you stay secure and provide confidence to your users.