Our current applications are being flagged in their penetration tests as having critical issues due to the use of AngularJS which goes EOL on 31 Dec 2021
I note that Umbraco 9 has Angular 1.8 - is this something that will be moved away from soon? Was this something that was flagged in the Sept 2021 penetration test or is anticipated to be flagged in the March 2022 test?
as far as I know Angular 1.8 will be replaced when the new backoffice is launched and that is not planned yet. I'm pretty sure that it certainly will not be part of Umbraco 10, and I even doubt if Umbraco 11 will have a new backoffice.
So probably you have to deal with Angular 1.8 unfortunately :S
We, as a digital agency, also get these issues from pen tests. Your best way out of this is by IP whitelisting your backoffice (/umbraco/) to specific IP adresses. This will dramatically decrease the attack surface, because only a limited number of editors will have access from specific IP addresses. And in what world would we live even we cannot trust our editors anymore ;)!
I suppose what I am really after is a way to mitigate/explain to any pen tester who raises the use of AngularJS after end of life within Umbraco as a critical/high issue
Whitelisting is one approach to lessen the vulnerability but if a client sees the pen test and questions why a product that contains an out of support framework is being used, I need something to go back to them with
I fully appreciate why Umbraco do not publish their pen test results and am more than confident they release security patches for critical vulnerabilities but as we are working towards removing AngularJS from our products for this EOL reason, why/how Umbraco are able to justify its continued use
Penetration testing with AngularJS/1.x
Our current applications are being flagged in their penetration tests as having critical issues due to the use of AngularJS which goes EOL on 31 Dec 2021
I note that Umbraco 9 has Angular 1.8 - is this something that will be moved away from soon? Was this something that was flagged in the Sept 2021 penetration test or is anticipated to be flagged in the March 2022 test?
Thanks
Mike
Hi Mike,
as far as I know Angular 1.8 will be replaced when the new backoffice is launched and that is not planned yet. I'm pretty sure that it certainly will not be part of Umbraco 10, and I even doubt if Umbraco 11 will have a new backoffice.
So probably you have to deal with Angular 1.8 unfortunately :S
We, as a digital agency, also get these issues from pen tests. Your best way out of this is by IP whitelisting your backoffice (/umbraco/) to specific IP adresses. This will dramatically decrease the attack surface, because only a limited number of editors will have access from specific IP addresses. And in what world would we live even we cannot trust our editors anymore ;)!
The process to IP whitelisting is really well documented over here: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/
Hope this helps! Have a nice & safe weekend!
Jeffrey
Thanks Jeffrey, that is really helpful
I suppose what I am really after is a way to mitigate/explain to any pen tester who raises the use of AngularJS after end of life within Umbraco as a critical/high issue
Whitelisting is one approach to lessen the vulnerability but if a client sees the pen test and questions why a product that contains an out of support framework is being used, I need something to go back to them with
I fully appreciate why Umbraco do not publish their pen test results and am more than confident they release security patches for critical vulnerabilities but as we are working towards removing AngularJS from our products for this EOL reason, why/how Umbraco are able to justify its continued use
is working on a reply...