Protecting unpatched sites from exploits - SA-CORE-2019-003
Incident Report for
This incident has been resolved.
Posted 2 months ago. Mar 07, 2019 - 15:01 CET
Thank you to all the customers that were able to patch their sites quickly in response to PSA-2019-02-22.

We have disabled modules on sites that we have found to be vulnerable however we were not able to cover all sites for a number of reasons and have notified customers of the issues.

We still strongly recommend that customers check their sites and patch as soon as possible and will continue to monitor this incident until we can confirm all sites are mitigated.
Posted 3 months ago. Feb 24, 2019 - 21:29 CET
We are continuing to work through sites that might be vulnerable to the exploits, in the meantime we strongly recommend that customers patch their sites or disable the modules if you are not able to patch immediately.
Posted 3 months ago. Feb 23, 2019 - 06:30 CET
There are public exploits now available for SA-CORE-2019-003 --

This only applies to your site if:

The site has the Drupal 8 core RESTful Web Services (rest) module enabled.
- OR -
The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, or custom code that allows entity updates via non-form sources.

In response, have made the decision to disable modules on unpatched sites to protect them from exploits.

We are planning to disable all modules on site that have yet to apply the latest patches. This change will be rolled out at 4:00 UTC to allow some time to patch sites. If you would like to opt out of this change please contact us as soon as possible.

We understand this may break functionality on some sites that depend on these modules but believe it is far better to deal with a broken site than a hacked one.

If you find the modules have been disabled we recommend you follow the mitigation instructions on the PSA before re-enabling the modules.

If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.
If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.
Be sure to install any available security updates for contributed projects after updating Drupal core.
Posted 3 months ago. Feb 23, 2019 - 03:55 CET
This incident affected: Germany (de1.compact), Finland (fi1.compact), General (API, Deployment Infrastructure, Nameservers, dev1.compact), South Africa (sa1.compact), United Kingdom (uk1.compact, uk2.compact), Japan (jp1.compact), USA (us1.lagoon), and Switzerland (zh1.compact, zh2.compact, ch1.lagoon).