This Public Service Announcement is a follow-up to SA-CORE-2019-003. This is not an announcement of a new vulnerability. If you have not updated your site as described in SA-CORE-2019-003 you should do that now.

There are public exploits now available for this SA.

Update, February 25: Mass exploits are now being reported in the wild.

In the original SA we indicated this could be mitigated by blocking POST, PATCH and PUT requests to web services resources, there is now a new way to exploit this using GET requests.

The best mitigation is:

If you are using Drupal 8.6.x, upgrade to Drupal 8.6.10.

If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.11.

Be sure to install any available security updates for contributed projects after updating Drupal core.

This only applies to your site if:

The site has the Drupal 8 core RESTful Web Services (rest) module enabled.

OR The site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7, or custom code that allows entity updates via non-form sources.

What to do if your site may be compromised

Take a look at our existing documentation, ”Your Drupal site got hacked, now what”.

We’ll continue to update the SA if novel types of exploit appear.