WordPress and Drupal are both releasing security updates today that affect all supported versions of the two popular CMS platforms.
Nir Goldshlager, a security researcher and part of the Salesforce.com Product Security Team, discovered a PHP-level vulnerability that could result in denial of service (DoS) attacks. Goldshlager notified the PHP, WordPress, and Drupal security teams all at once.
The vulnerability is within a PHP XML parser used by XML-RPC, and is “vulnerable to an XML entity expansion attach which can cause CPU and memory exhaustion, and MySQL to reach the maximum amount of open connections.”
The bug itself is relatively minor, but of interest is the collaboration between the WordPress and Drupal teams to create a fix. WordPress lead developer Andrew Nacin and Mike Adams of the WordPress security team collaborated on a fix for the vulnerability and offered to coordinate with the Drupal security team.
The fix devised by Nacin and Adams prevents the XML-RPC vulnerability while keeping the feature active. Turning off XML-RPC would have left the burden of handling the fix on the site owner or host and would have harmed clients such as the mobile apps.
So, interestingly enough, two WordPress core developers are getting props today for both WordPress and Drupal releases. The respective security teams and Goldshlager have been working together for a couple of weeks now to appropriately address the situation and refine the patch included in today’s updates. The patch itself is for an external library that WordPress has always used, called the Incutio XML-RPC Library. Drupal uses a derivative of the same library, making the collaboration between the two teams quite logical and straightforward.
Andrew Nacin tells me that this is the first time he knows of that the WordPress and Drupal security teams have collaborated. It certainly goes to show just how beneficial open source is, that two completely different CMS platforms are able to quickly close such security holes.
The WordPress security release includes a few other minor security patches as well, but the collaboration between the WordPress and Drupal security teams is what makes this release most noteworthy, in my opinion.
WordPress will be automatically upgrading all eligible websites from WordPress 3.7 to WordPress 3.9 major versions to include these fixes, as well as the WordPress 4.0 beta. The latest stable branch is now WordPress 3.9.2, and the WordPress 4.0 development branch is in beta 3. The release of WordPress 4.0 is still on target for the week of August 25th.
If you have automatic updates enabled for WordPress, you’ll see those roll out shortly; otherwise, you can download it from WordPress.org. You can also check out the official release posts for both Drupal and WordPress on their respective blogs.
Methinks the 10’s of thousands of folks who’ve had their servers brought down over the past couple months due to mass xmlrpc.php connections might have a different opinion about this being a “minor issue.”
You may be thinking of some clever attempts to abuse pingbacks, but this was not a vulnerability we believe was seen in the wild at all.
Hi Brian
You are incorrect here:
One of the pillars of security is Availability. This bug has wide ranging impacts. Sites / servers could be brought down in an instance. It took us 15 minutes to replicate and create a script to attack. Some minor modifications and we can create a bot to attack as many Drupal and WordPress installs on the web.
I can assure you that People will not agree this is minor.
Thanks
Tony
I agree availability is important. It’s also worth noting the vulnerability I focused on is not one that allows code execution, and only happens when XML RPC is enabled. A site going down is better than a site being used to send out additional malicious activity.
I wasn’t trying to downplay a vulnerability, I was telling an interest story of collaboration between the two CMS’ security teams and the reporter.
Also, with auto-updates on the vast majority of sites (last 3 major versions) it’s a vulnerability that has a short shelf life.
Nevertheless, point noted.
Your approach to categorization of a Security issue is, unfortunately, incorrect.
Nice feel good story though, kudos to the teams.
🙂
Okay, thanks for your input.
As usual a great post. I think that the fact that such collaboration between some of the the most important developers in Drupal and WordPress happened is much more interesting than the vulnerability itself.
Working every day with Drupal and WordPress it’s awesome to know that you guys are working together. thumbs up 🙂
Is this affecting WordPress 3.4 too?