Feed aggregator

Campe Receives National Research Fellowship to Study Campus Safety

uknow gradschool - Thu, 04/26/2018 - 8:00am
Maggie Campe, a doctoral candidate in the UK Department of Sociology and research assistant in UK’s Center for Research on Violence Against Women, is the inaugural recipient of the Lindsey M. Bonistall Research Fellowship from PEACEOUTside Campus. The research fellowship aims to promote peaceful and safe living environments in college communities.

JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

Project Security Advisories - Wed, 04/25/2018 - 1:43pm
Project: JSON APIVersion: 8.x-1.15Date: 2018-April-25Security risk: Moderately critical 11∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site Request ForgeryDescription: 

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities.

The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication.

This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped.

Solution: 

Install the latest version:

  • If you use the JSON API module for Drupal 8.x, upgrade to 8.x-1.16
Reported By: Fixed By: Coordinated By: 

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

Project Security Advisories - Wed, 04/25/2018 - 1:37pm
Project: DRD AgentDate: 2018-April-25Security risk: Critical 15∕25 AC:None/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: PHP object injectionDescription: 

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard.

The modules (DRD and DRD Agent) encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize functions instead of the json_encode/json_decode combination. As the unserialize function is called on unauthenticated content, this introduces a PHP object injection vulnerability.

Solution: 

Install the latest version:

Reported By: Fixed By: Coordinated By: 

Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Project Security Advisories - Wed, 04/25/2018 - 1:23pm
Project: MediaVersion: 7.x-2.18Date: 2018-April-25Security risk: Critical 18∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Remote Code ExecutionDescription: 

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

Solution: 

Install the latest version:

  • If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19
Coordinated By: 
  • Dave Reid the module maintainer and member of the Drupal Security Team

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-004

Core Security Advisories - Wed, 04/25/2018 - 12:13pm
Project: Drupal coreDate: 2018-April-25Security risk: Critical 17∕25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: 

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. While SA-CORE-2018-002 is being exploited in the wild, this vulnerability is not known to be in active exploitation as of this release.

Solution: 

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.59.
  • If you are running 8.5.x, upgrade to Drupal 8.5.3.
  • If you are running 8.4.x, upgrade to Drupal 8.4.8. (Drupal 8.4.x is no longer supported and we don't normally provide security releases for unsupported minor releases. However, we are providing this 8.4.x release so that sites can update as quickly as possible. You should update to 8.4.8 immediately, then update to 8.5.3 or the latest secure release as soon as possible.)

If you are unable to update immediately, or if you are running a Drupal distribution that does not yet include this security release, you can attempt to apply the patch below to fix the vulnerability until you are able to update completely:

These patches will only work if your site already has the fix from SA-CORE-2018-002 applied. (If your site does not have that fix, it may already be compromised.)

Reported By: Fixed By: 

Students, Faculty and Staff Honored by UK Disability Resource Center

uknow gradschool - Wed, 04/25/2018 - 8:00am
The UK Disability Resource Center held its annual awards ceremony recently.

Three International Students Receive Scholarship for Cross-Cultural Understanding

uknow gradschool - Wed, 04/25/2018 - 8:00am
Three international students have been awarded UK's 2018 Viji Jeganathan Scholarship for Cross-Cultural Understanding for their dedication to promoting cultural diversity and inclusivity through involvement at UK.

Sociology Doctoral Student Receives P.E.O. Scholarship for Women

uknow gradschool - Tue, 04/24/2018 - 8:00am
Amanda Bunting, a doctoral candidate in the UK Department of Sociology, is one of 100 doctoral students in the U. S. and Canada selected to receive a $15,000 Scholar Award from the P.E.O. Sisterhood.

UK String Quartets Invited to Perform at Prestigious French Festival

uknow gradschool - Tue, 04/24/2018 - 8:00am
The Niles and Verdi String Quartets will perform a concert of 20th century music for string quartet at the second annual Festival de Paques in Deauville, France.

Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003

Security Public Service Announcements - Mon, 04/23/2018 - 12:27pm

There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk that exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page.

This security release is a follow-up to the one released as SA-CORE-2018-002 on March 28.

  • Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.
  • Sites on 8.4.x should immediately update to the 8.4.8 release that will be provided in the advisory, and then plan to update to 8.5.3 or the latest security release as soon as possible (since 8.4.x no longer receives official security coverage).

The security advisory will list the appropriate version numbers for each branch. Your site's update report page will recommend the 8.5.x release even if you are on 8.4.x or an older release, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update.

Patches for Drupal 7.x, 8.4.x, 8.5.x and 8.6.x will be provided in addition to the releases mentioned above. (If your site is on a Drupal 8 release older than 8.4.x, it no longer receives security coverage and will not receive a security update. The provided patches may work for your site, but upgrading is strongly recommended as older Drupal versions contain other disclosed security vulnerabilities.)

This release will not require a database update.

The CVE for this issue is CVE-2018-7602. The Drupal-specific identifier for the issue will be SA-CORE-2018-004.

The Security Team or any other party is not able to release any more information about this vulnerability until the announcement is made. The announcement will be made public at https://www.drupal.org/security, over Twitter, and in email for those who have subscribed to our email list. To subscribe to the email list: login on Drupal.org, go to your user profile page, and subscribe to the security newsletter on the Edit » My newsletters tab.

Journalists interested in covering the story are encouraged to email security-press@drupal.org to be sure they will get a copy of the journalist-focused release. The Security Team will release a journalist-focused summary email at the same time as the new code release and advisory.
If you find a security issue, please report it at https://www.drupal.org/security-team/report-issue.

UK Grad Student Shares Recovery Journey

uknow gradschool - Mon, 04/23/2018 - 8:00am
Alex Elswick and his family work every day to reduce the stigma or addiction and help people across the Commonwealth access the resources that can help them in their recovery. Alex knows firsthand what it takes, he's in long-term recovery from an opioid use disorder.

Kirwan Prize, Sturgill Award Presented to Outstanding Faculty

uknow gradschool - Fri, 04/20/2018 - 8:00am
Two UK faculty members were honored for their outstanding contributions to teaching and scholarship at the 2018 Provost Awards ceremony held April 19.

The Courageous, the Determined, the Inspiring: Heroes of UK

uknow gradschool - Fri, 04/20/2018 - 8:00am
In the real world, heroes aren’t created by gamma ray experiments gone wrong, or specially engineered super-suits, or radioactive spider bites. Over the next two weeks, we'll be sharing just a few of the many stories of heroism, courage, determination and perseverance from UK students and faculty -- and one very clever dog.

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Project Security Advisories - Wed, 04/18/2018 - 1:31pm
Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: 

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface.

The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.

This vulnerability is mitigated only by the fact that most modern browsers protect against reflected XSS via the url.

Solution: Reported By: Fixed By: Coordinated By: 

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

Project Security Advisories - Wed, 04/18/2018 - 11:45am
Project: Menu Import and ExportVersion: 8.x-1.0Date: 2018-April-18Security risk: Critical 17∕25 AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:UncommonVulnerability: Access bypassDescription: 

This module helps in exporting and importing Menu Items via the administrative interface.

The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links.

There is no mitigation for this vulnerability.

Solution: 

Update to Menu Import and Export 8.x-1.2.

Reported By: Fixed By: Coordinated By: 

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Core Security Advisories - Wed, 04/18/2018 - 11:34am
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: 

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Solution: 
  • If you are using Drupal 8, update to Drupal 8.5.2 or Drupal 8.4.7.
  • The Drupal 7.x CKEditor contributed module is not affected if you are running CKEditor module 7.x-1.18 and using CKEditor from the CDN, since it currently uses a version of the CKEditor library that is not vulnerable.
  • If you installed CKEditor in Drupal 7 using another method (for example with the WYSIWYG module or the CKEditor module with CKEditor locally) and you’re using a version of CKEditor from 4.5.11 up to 4.9.1, update the third-party JavaScript library by downloading CKEditor 4.9.2 from CKEditor's site.
Reported By: Fixed By: 

Drupal Core - Highly Critical - Public Service announcement - PSA-2018-002

Security Public Service Announcements - Fri, 04/13/2018 - 1:36pm
Description

This Public Service Announcement is a follow-up to SA-CORE-2018-002 - Drupal core - RCE. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.

The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 25/25

Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.

Simply updating Drupal will not remove backdoors or fix compromised sites.

If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.

What to do if your site may be compromised

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what.”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is very difficult to be certain all backdoors have been found.

If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch. For more information please refer to this guide on hacked sites.

Contact and More Information

We prepared a FAQ that was released when SA-CORE-2018-002 was published. Read more at FAQ on SA-CORE-2018-002.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

#IAmAWomanInSTEM to Host Week of Celebration

uknow gradschool - Mon, 04/09/2018 - 8:00am
The student organization #IAmAWomanInSTEM, which encourages female undergraduate students to pursue and persist in STEM majors, will host four events April 17-20.

Taking Research to the Front Lines: Why UK Researchers are Studying Firefighter Fitness

uknow gradschool - Mon, 04/09/2018 - 8:00am
Police officers, firefighters and military personnel face daunting physical obstacles while on the job, often coupled with intense mental stress.

Keeping the Spark Alive in Long-term Relationships

uknow gradschool - Thu, 04/05/2018 - 8:00am
Research by UK's Kristen Mark brings decades of findings together to help researchers, clinicians and couples understand where the science stands on maintaining desire in long-term relationships.

Pages