==================================================================== CERT-Renater Note d'Information No. 2017/VULN246 _____________________________________________________________________ DATE : 07/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running CAPTCHA for DRUPAL versions 7.x prior to 7.x-1.5. ===================================================================== https://www.drupal.org/node/2907137 ____________________________________________________________________ CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073 Posted by Drupal Security Team on 6 Sep 2017 at 19:21 UTC Advisory ID: DRUPAL-SA-CONTRIB-2017-073 Project: CAPTCHA (third-party module) Version: 7.x Date: 2017-September-06 Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Proof/TD:Default Vulnerability: Denial of Service Description This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This vulnerability is mitigated by the fact that Drupal does not give a session to all visitors, especially when used with advanced caching systems like Varnish. CVE identifier(s) issued A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected CAPTCHA 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed CAPTCHA module, there is nothing you need to do. Solution Install the latest version: If you use the CATPCHA module for Drupal 7.x, upgrade to CAPTCHA 7.x-1.5. Also see the CAPTCHA project page. Reported by Nightwalker3000 Fixed by Fabiano Sant'Ana, the module's maintainer. Coordinated by Lee Rowlands of the Drupal Security Team. Damien McKenna of the Drupal Security Team. Contact and More Information The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact. Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================