• Advisory ID: DRUPAL-SA-CORE-2013-002
• Project: Drupal core
• Version: 7.x
• Date: 2013-February-20
• Security risk: Critical
• Exploitable from: Remote
• Vulnerability: Denial of service

Description

Drupal core’s Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

Please see the Drupal 7.20 release notes for important notes about the changes which were made to fix this issue, since some sites will require extra testing and care when deploying this Drupal core release.

CVE identifier(s) issued

• CVE-2013-0316

Versions affected

• Drupal core 7.x versions prior to 7.20.

Solution

Install the latest version:

• If you use Drupal 7.x, upgrade to Drupal core 7.20.

Also see the Drupal core project page.

Reported by

• Bèr Kessels
• aBrookland
• Chad Fennell

Fixed by

• Damien Tournoud of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• David Rothstein of the Drupal Security Team
• Heine Deelstra of the Drupal Security Team
• Bèr Kessels

Coordinated by

• David Rothstein of the Drupal Security Team
• Stéphane Corlosquet of the Drupal Security Team
• Peter Wolanin of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.