On November 18th, 2020, the Drupal security team released security advisory SA-CORE-2020-012, a critical remote code execution vulnerability being patched in Drupal 7, 8, and 9. If you haven't read up on this issue, or the contrib advisories from the same day, I suggest you pause here and go take a look (and of course update your site(s)).
As always, the Drupal Security Team demonstrated their commitment and professionalism in helping all of us keep our Drupal sites more secure. But this post is not just to praise the security team, but also to report back on our first trial activation of the Drupal Steward program with a real security vulnerability.
As a reminder, the Drupal Steward program is operated jointly by the Drupal Association and the Drupal Security team, to offer protection for highly critical and mass exploitable vulnerabilities in the form of a web application firewall. This protection is offered directly by the Drupal Association to end-users, and also through our Founding Platform Partners: Acquia and Pantheon.
Drupal Steward doesn't change the site owner's responsibility to update their site. It does, however, provide a greater safety window and more flexibility for their team when scheduling the update.
In coordination with the Drupal Security Team, as well as our partners, we decided to use SA-CORE-2020-012 as our first live case for implementing this protection. This core issue was neither 'highly-critical' nor 'mass-exploitable' as the program is generally designed to protect, but because it was still a critical issue, it made a good test case.
We made a deliberate choice not to pre-advertise the protection for this first activation, because we wanted to thoroughly vet the process from end-to-end, before telling Steward customers to breathe easy when scheduling their update.
For future activations we will include a section in the PSA or SA published on Drupal.org, marked by the Drupal Steward logo, which indicates whether an upcoming security release will have this Drupal Steward coverage - giving all Drupal Steward customers the warning they need so they can responsibly schedule their site updates.
We're very pleased to say that this first program activation went very smoothly. Our coordination with Founding Partners, and our implementation of the firewall rules for the community tier went quickly and easily - and despite the short turn-around time, we were able to have protection coordinated in time for the disclosure of the issue.
What about SA-CORE-2020-013?
If you follow Drupal security issues closely, you'll know that another Drupal security release occurred only about a week later. SA-CORE-2020-013 was released to mitigate a vulnerability in a third-party dependency of Drupal. This issue was not eligible for Drupal Steward coverage because it was a zero-day, that is, the vulnerability was already public and so there was no time to implement a preventative mitigation strategy.
Ready to sign up?
You can learn more about Drupal Steward here and you can ask questions or set up a consultation here. Cost is usage-based, and we've tried to subsidize the cost as much as possible for our community site owners. For most small to medium-sized sites, coverage costs less than $200/year. Proceeds are allocated to support Drupal Association and Drupal Security Team programs.