Drupal Vulnerability in on-premise 2018.1 and older

book

Article ID: 210989

calendar_today

Updated On:

Products

CA Agile Central On Premise (Rally)

Issue/Introduction

Security scans of 2018.1 and earlier may show the following vulnerabilities reported in Drupal:

CVE-2019-6338 - Drupal is prone to a remote PHP object-injection vulnerability.

CVE-2019-6339 - Drupal is prone to a remote code-execution vulnerability.

 

Cause

Drupal was used by 2018.1 and earlier to serve product documentation for offline usage.

Environment

Release : 2018.1

 

Resolution

2018.1 is end of life and no longer supported.  The recommendation is to update to the newest version of on-premise which no longer uses Drupal

If upgrading is not possible, the workaround is to delete the directory or set permissions to deny access to all users:

Either

# chmod 000 /var/www/html/help

or

# rm -rf /var/www/html/help