None of the sites on Umbraco Cloud are affected, because they all use hostname bindings (you can't access a site by just the IP address and therefore can't spoof the hostname either).
Setting up hostname bindings is kind of a two-way verification: you prove ownership of a hostname/domain by pointing it to the IP address of the webserver and verify ownership of the webserver/hosting package by adding that hostname to the sites bindings. Your site will only work if both are correctly setup, so you can't spoof the hostname anymore.
You can still set the umbracoApplicationUrl on Umbraco 7+ sites to ensure that URL is always used for e.g. password reset links (this alone would already mitigate the issue). Only Umbraco 8 and 9 have received patches to use a (slightly) safer default and a Health Check to ensure you've set the umbracoApplicationUrl. Umbraco 7 didn't get patched, because this is a medium-severity security vulnerability and there are already multiple ways to mitigate this issue.
Medium-severity security vulnerability identified in Umbraco CMS
We're ready to answer your questions in relation to the blog post we just published:
https://umbraco.com/blog/security-advisory-january-20-2022-medium-severity-security-vulnerability-identified-in-umbraco-cms/
Just to clarify - Sites hosted on Umbraco-Cloud - Including Umbraco-7 - are NOT affected by this ?
None of the sites on Umbraco Cloud are affected, because they all use hostname bindings (you can't access a site by just the IP address and therefore can't spoof the hostname either).
Setting up hostname bindings is kind of a two-way verification: you prove ownership of a hostname/domain by pointing it to the IP address of the webserver and verify ownership of the webserver/hosting package by adding that hostname to the sites bindings. Your site will only work if both are correctly setup, so you can't spoof the hostname anymore.
You can still set the
umbracoApplicationUrlon Umbraco 7+ sites to ensure that URL is always used for e.g. password reset links (this alone would already mitigate the issue). Only Umbraco 8 and 9 have received patches to use a (slightly) safer default and a Health Check to ensure you've set theumbracoApplicationUrl. Umbraco 7 didn't get patched, because this is a medium-severity security vulnerability and there are already multiple ways to mitigate this issue.✅ No sites running on Umbraco Cloud are affected.
is working on a reply...