{"id":13895,"date":"2018-03-02T07:24:35","date_gmt":"2018-03-02T12:24:35","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/bharry\/?p=13895"},"modified":"2019-02-27T03:49:12","modified_gmt":"2019-02-27T03:49:12","slug":"13895","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/bharry\/13895\/","title":{"rendered":"TFS Security updates"},"content":{"rendered":"<p><span style=\"color: #000000; font-family: Calibri;\">On Wednesday, we released a roll up of fixes for security vulnerabilities for several versions of Team Foundation Server. There are no new features in this update. Most of the vulnerabilities are related to cross site scripting (XSS), some of which were customer reported. The others include an improperly encoded API, a service endpoint editing experience which exposes a previously configured password, and a regex denial of service vulnerability in our web portal. We recommend customers install these updates. These fixes are included in the recently released Team Foundation Server 2018 Update 1.\u00a0 The release on Wednesday was for older versions and for customers who are not yet ready to update to the TFS 2018.<\/span>\n<span style=\"color: #000000;\"><strong><span style=\"margin: 0px; font-family: 'Calibri',sans-serif;\">Team Foundation Server 2015 Update 4.1:<\/span><\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/visualstudio\/releasenotes\/tfs2015-update4-vs\">Release Notes<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkId=844069\">TFS Server ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkId=844068\">TFS Server web install<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkId=844071\">TFS Express ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><a href=\"http:\/\/go.microsoft.com\/fwlink\/?LinkId=844070\">TFS Express web install<\/a><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><strong><span style=\"margin: 0px; font-family: 'Calibri',sans-serif;\">Team Foundation Server 2017.0.1:<\/span><\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/visualstudio\/releasenotes\/tfs2017-relnotes\">Release Notes<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=831911\">TFS Server ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=831912\">TFS Server web install<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=831913\">TFS Express ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=831910\">TFS Express web install<\/a><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000;\"><strong><span style=\"margin: 0px; font-family: 'Calibri',sans-serif;\">Team Foundation Server 2017 Update 3.1:<\/span><\/strong><\/span><\/p>\n<ul>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/visualstudio\/releasenotes\/tfs2017-update3\">Release Notes<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=857132\">TFS Server ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=857134\">TFS Server web install<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><span style=\"color: #0563c1;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=857133\">TFS Express ISO<\/a><\/span><\/span><\/li>\n<li><span style=\"font-family: Calibri;\"><a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=857131\">TFS Express web install<\/a><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #000000; font-family: Calibri;\">We take all security vulnerabilities very seriously and go to great lengths to protect our customers.\u00a0 The worst kind of security vulnerabilities you can have are those that allow an external, unauthenticated attacker access to or control over a system.\u00a0 Fortunately, none of these are of that nature.\u00a0 All of them require an authenticated user who has been granted permissions to your TFS server.\u00a0 They all would require a hostile or unlikely accidental action by someone on your team.\u00a0 However, out of an abundance of caution, we are releasing fixes and we encourage you to install the update.\u00a0 All of these fixes have, of course, already been applied to our cloud hosted offering &#8211; VSTS.<\/span><\/p>\n<p><span style=\"color: #000000; font-family: Calibri;\">As I mentioned above, some of the vulnerabilities were customer reported.\u00a0 Although we do extensive security testing ourselves, like all bugs, it\u2019s possible for us to miss something.\u00a0 From time to time, some of our customers (particularly larger enterprises) do their own security testing of both TFS and VSTS and report their findings.\u00a0 In most cases they don\u2019t find anything.\u00a0 However, recently, one of our customers did some very detailed testing and they found a few XSS issues.\u00a0 We\u2019re grateful to our customers who invest the effort to ensure our product is as secure as possible and we\u2019re committed to fixing any significant issues they find.<\/span><\/p>\n<p><span style=\"font-family: Calibri;\"><span style=\"color: #000000;\">Going forward, to avoid future XSS vulnerabilities slipping through our testing, we are adopting <\/span><a href=\"https:\/\/en.wikipedia.org\/wiki\/Content_Security_Policy\">Content Security Policy<\/a><\/span><span style=\"color: #000000; font-family: Calibri;\"> to broadly mitigate XSS issues<\/span><\/p>\n<p><span style=\"color: #000000; font-family: Calibri;\">Thank you,<\/span>\n<span style=\"color: #000000; font-family: Calibri;\">Brian<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On Wednesday, we released a roll up of fixes for security vulnerabilities for several versions of Team Foundation Server. There are no new features in this update. Most of the vulnerabilities are related to cross site scripting (XSS), some of which were customer reported. The others include an improperly encoded API, a service endpoint editing experience which exposes a previously configured password, and a regex denial of service vulnerability in our web portal. We recommend customers install these updates. These fixes are included in the recently released Team Foundation Server 2018 Update 1.  The release on Wednesday was for older versions and for customers who are not yet ready to update to the TFS 2018.<\/p>\n","protected":false},"author":244,"featured_media":14617,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[5],"class_list":["post-13895","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-tfs"],"acf":[],"blog_post_summary":"<p>On Wednesday, we released a roll up of fixes for security vulnerabilities for several versions of Team Foundation Server. There are no new features in this update. Most of the vulnerabilities are related to cross site scripting (XSS), some of which were customer reported. The others include an improperly encoded API, a service endpoint editing experience which exposes a previously configured password, and a regex denial of service vulnerability in our web portal. We recommend customers install these updates. These fixes are included in the recently released Team Foundation Server 2018 Update 1.  The release on Wednesday was for older versions and for customers who are not yet ready to update to the TFS 2018.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/posts\/13895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/users\/244"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/comments?post=13895"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/posts\/13895\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/media\/14617"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/media?parent=13895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/categories?post=13895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/bharry\/wp-json\/wp\/v2\/tags?post=13895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}