A Public Service Announcement (PSA) was issued by the Drupal Security Team on October 29, 2014 as to summarize to Security Advisory SA-CORE-2014-005 that disclosed a serious SQL Injection vulnerability in Drupal 7. The main aim with PSA is to deliver an update on the time window between disclosure and first-known exploits, repeat the severity of the vulnerability and the importance of upgrading or patching and provide guidance for those users, who patched or upgraded outside that window.
A Public Service Announcement result into the large volume of press coverage that feels goals were completed. On October 15th 2014, much more coverage than the original disclosure of the vulnerability was seen. Moreover, we are also finding the general tome of the press coverage was quite negative. Regrettably, there is some coverage that was not proper which we like to address and provide some additional content related to security procedure.
We don’t have an idea about how many Drupal sites were affected, but somewhat it is nearly to 12 million as it is stated to many publications. There are many individual Drupal sites that reported to existence back to Drupal.org unless disabled. Moreover, around 1 million total Drupal sites are reported to this system. There is no doubt that SA-CORE-2014-005 is a severe matter, however, it is compulsory to identify all software has security and bugs that need for a remediation process.
Searching, fixing and announcing security patches is one of the strongest proof of a healthy security process. Additionally, Drupal is one of the strongest content management systems, having a dedicated security team that has contributed code and Drupal code as well.
If you want to protect your CMS from SA-CORE-2014-005 then you have to enable WAF against this vulnerability. In order to confirm SQL injection protection is ON, you have to log into the Incapsula account then go to Settings >> WAF, and confirm that SQL Injection is set to Block Request.
The PSA goes on to state:
"Simply updating to Drupal 7.32 will not remove backdoors."
However, customers have to ensure that backdoor protection is enabled. For confirming that backdoor protection is enabled, you just have to login into your Incapsula account and go to Settings >> WAF, and confirm that Backdoor Protect is set to Auto-Quarantine.
This way, Incapsula will continue to check this vulnerability and subject other updates as appropriate.