Pantheon response to Drupal 10.1.4 Security Update
Incident Report for Pantheon Operations
Resolved
As part of our response to yesterday's security release of Drupal core https://status.pantheon.io/incidents/vj842n7k7w40, we have deployed a change to our Global CDN that mitigates exploitation of the relevant vulnerability. Still, we advise all customers to apply the core update to Drupal itself to best ensure the security of their sites.

While we have not found evidence of this vulnerability being exploited on customer sites, we were able to reproduce the attack pattern on un-updated sites made for internal testing. As of now our engineers have closed this path of exploitation for un-updated sites.

It is conceivable that our remediation (which modifies error responses from Drupal JSON:API) could adversely affect some customer sites, but this risk is exceedingly remote. The path of exploitation for this vulnerability is narrow and it is unlikely that legitimate usage of JSON:API would depend on the error responses we are now modifying. If that is not true for your team, please contact Pantheon support immediately.
Posted Sep 21, 2023 - 15:16 PDT