====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN644
_____________________________________________________________________

DATE                : 26/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal core versions prior to
                            9.0.9, 8.9.10, 8.8.12, 7.75.

=====================================================================
https://www.drupal.org/sa-core-2020-013
_____________________________________________________________________

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013


Project:          Drupal core
Date:             2020-November-25

Security risk:
Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon

Vulnerability:    Arbitrary PHP code execution
CVE IDs:          CVE-2020-28949
                  CVE-2020-28948


Description:

The Drupal project uses the PEAR Archive_Tar library. The PEAR
Archive_Tar library has released a security update that impacts Drupal.
For more information please see:

    CVE-2020-28948
    CVE-2020-28949

Multiple vulnerabilities are possible if Drupal is configured to allow
.tar, .tar.gz, .bz2, or .tlz file uploads and processes them.

To mitigate this issue, prevent untrusted users from uploading .tar,
.tar.gz, .bz2, or .tlz files.

This is a different issue than SA-CORE-2019-012. Similar configuration
changes may mitigate the problem until you are able to patch.


Solution:

Install the latest version:

    If you are using Drupal 9.0, update to Drupal 9.0.9
    If you are using Drupal 8.9, update to Drupal 8.9.10
    If you are using Drupal 8.8 or earlier, update to Drupal 8.8.12
    If you are using Drupal 7, update to Drupal 7.75


Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive
security coverage.

According to the regular security release window schedule, November 25th
would not typically be a core security window. However, this release is
necessary because there are known exploits for one of core's
dependencies and some configurations of Drupal are vulnerable.


Reported By:

    Luke Stewart


Fixed By:

    Jess of the Drupal Security Team
    Drew Webber of the Drupal Security Team
    Michael Hess of the Drupal Security Team
    Neil Drumm of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================