• Advisory ID: DRUPAL-SA-CONTRIB-2017-027
• Project: AES encryption (third-party module)
• Version: 7.x, 8.x
• Date: 2017-March-01

Description

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm.

The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be possible. The maintainer has opted not to fix these weaknesses. See solution section for details on how to migrate to a supported and more secure AES encryption module.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions of the AES module

Drupal core is not affected. If you do not use the contributed AES encryption module, there is nothing you need to do.

Solution

If you’re using the AES only because Drupal Remote Dashboard (DRD) and Drupal Remote Dashboard Server (DRD Server) depend on it, then update to the latest versions of DRD or DRD Server and disable the AES module — those modules no longer depend on it.

In all other situations, you can replace the AES module with the Real AES module:

• If you don’t have a recent backup, make a backup of your site’s database and codebase. Consider taking your site offline (e.g. using Drupal’s maintenance mode) as some features may not work properly during this upgrade process.
• Do NOT follow the normal uninstall process for the AES module. The uninstall process would delete your encryption key and make it impossible to recover your data! Instead, disable the module and delete the AES module directory without uninstalling the module.
• Download and extract the latest release of Real AES
• Download and extract the latest release of Key
• Enable the Real AES, Key and AES compatibility modules
• Use the Key module to create a new 128-bit encryption key with the name “Real AES Key”.
• Clear all your Drupal caches.
• Modules that depend on AES and store encrypted data will continue to function as normal. They should decrypt and re-encrypt any stored data. The Real AES module provides some functions from the AES module (like, aes_encrypt() and aes_decrypt()) which can decrypt using your old key, but will re-encrypt using the new key and more correct AES encryption.

More detailed instructions available on the AES project page

Also see the AES encryption project page.

Reported by

• Heine Deelstra of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-026
• Project: Location Map (third-party module)
• Version: 7.x
• Date: 2017-March-01
• Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default
• Vulnerability: Cross Site Scripting, Access bypass

Description

This module enables you to display one simple location map via Google Maps.

The module doesn’t sufficiently sanitize user input in the configuration text fields of the module (allows any tags and does not respect text format configuration).

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer locationmap”.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• locationmap 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Location Map module, there is nothing you need to do.

Solution

Install locationmap-7.x-2.4

Also see the Location Map project page.

Reported by

• Stefan Korn

Fixed by

• Stefan Korn the module co-maintainer

Coordinated by

• Michael Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-025
• Project: Remember Me (third-party module)
• Version: 7.x
• Date: 2017-March-01

Description

Remember me is a module that allows users to check “Remember me” when logging in.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• All versions

Drupal core is not affected. If you do not use the contributed Remember Me module, there is nothing you need to do.

Solution

If you use the remember_me module for Drupal 7.x you should uninstall it.

Also see the remember_me project page.

Reported by

• Kristiaan Van den Eynde

Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

• Advisory ID: DRUPAL-SA-CONTRIB-2017-024
• Project: RESTful Web Services (third-party module)
• Version: 7.x
• Date: 2017-March-01
• Security risk: 12/25 ( Moderately Critical) AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
• Vulnerability: Information Disclosure

Description

RestWS makes Drupal Entity data available in a REST API.

The module doesn’t sufficiently check for access to properties when filtering queries.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties. And the attacker can only query on the property equalling a value supplied by the attacker.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

• restws 7.x-2.x versions prior to 7.x-2.7.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the restws 2.x module for Drupal 7.x, upgrade to restws 7.x-2.7

Also see the RESTful Web Services project page.

Reported by

• Neil Drumm of the Drupal Security Team

Fixed by

• Neil Drumm of the Drupal Security Team

Coordinated by

• Micheal Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity