There are public exploits now available for SA-CORE-2019-003 -- https://www.drupal.org/psa-2019-02-22
This only applies to your site if:
The site has the Drupal 8 core RESTful Web Services (rest) module enabled.
- OR -
The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, or custom code that allows entity updates via non-form sources.
In response, amazee.io have made the decision to disable modules on unpatched sites to protect them from exploits.
We are planning to disable all modules on site that have yet to apply the latest patches. This change will be rolled out at 4:00 UTC to allow some time to patch sites. If you would like to opt out of this change please contact us as soon as possible.
We understand this may break functionality on some sites that depend on these modules but believe it is far better to deal with a broken site than a hacked one.
If you find the modules have been disabled we recommend you follow the mitigation instructions on the PSA before re-enabling the modules.
If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
Be sure to install any available security updates for contributed projects after updating Drupal core.