Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Drupal 8 REST Module Remote Code Execution (CVE-2019-6340)

Gal_Goldshtein
F5 Employee
F5 Employee

on ‎24-Feb-2019 04:00

In the recent days Drupal released a security advisory regarding a new highly critical risk vulnerability affecting Drupal 8 instances. The vulnerability may allow unauthenticated users to execute arbitrary code by forcing the vulnerable Drupal 8 instance to unserialize an arbitrary PHP serialized object via a crafted request to a REST API endpoint. The exploited API endpoint is accessible to unauthenticated users by default on instances where the RESTful Web Services module is enabled.

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing PHP code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “PHP” System.

0151T000003d7JlQAI.png

Figure 1Exploit blocked with attack signature 200004268

0151T000003d7JmQAI.png

Figure 2Exploit blocked with attack signature 200004188

Additional Reading

https://www.drupal.org/sa-core-2019-003

https://www.ambionics.io/blog/drupal8-rce

 

Labels:
0 Kudos
Version history
Last update:
‎24-Feb-2019 04:00
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC