Drupal Vulnerability in on-premise 2018.1 and older
search cancel

Drupal Vulnerability in on-premise 2018.1 and older

book

Article ID: 210989

calendar_today

Updated On:

Products

CA Agile Central On Premise (Rally)

Issue/Introduction

Security scans of 2018.1 and earlier may show the following vulnerabilities reported in Drupal:

CVE-2019-6338 - Drupal is prone to a remote PHP object-injection vulnerability.

CVE-2019-6339 - Drupal is prone to a remote code-execution vulnerability.

 

Environment

Release : 2018.1

 

Cause

Drupal was used by 2018.1 and earlier to serve product documentation for offline usage.

Resolution

2018.1 is end of life and no longer supported.  The recommendation is to update to the newest version of on-premise which no longer uses Drupal

If upgrading is not possible, the workaround is to delete the directory or set permissions to deny access to all users:

Either

# chmod 000 /var/www/html/help

or

# rm -rf /var/www/html/help