April 9th, 2019

April Security Release: Patches available for Azure DevOps Server 2019, TFS 2018.3.2, TFS 2018.1.2, TFS 2017.3.1, and the release of TFS 2015.4.2

Erin Dormier
Principal Program Manager

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program.

CVE-2019-0857: spoofing vulnerability in the Wiki

CVE-2019-0866: remote code execution vulnerability in Pipelines

CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0869: HTML injection vulnerability in Pipelines

CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0875: elevation of privilege vulnerability in Boards

Azure DevOps Server 2019 Patch 1

If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019 Patch 1, the version will be 17.143.28804.3.

TFS 2018 Update 3.2 Patch 3

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 3, the version will be 16.131.28728.4.

TFS 2018 Update 1.2 Patch 3

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 3, the version will be 16.122.28801.2.

TFS 2017 Update 3.1 Patch 4

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 4.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 4, the version will be 15.117.28728.0.

TFS 2015 Update 4.2

If you are on TFS 2015, you should upgrade to TFS 2015 Update 4.2 with the ISO or Web Install. For TFS 2015 Update 4.2 Express, you can upgrade with the ISO or Web Install. This is a full upgrade and will require you to run the Upgrade Wizard.

Author

Erin Dormier
Principal Program Manager

27 comments

Discussion is closed. Login to edit/delete existing comments.

  • Carlos Quintero

    Hi,

    I have TFS 2015 in Spanish installed on Windows Server in Spanish. When I try to install TFS 2015 Update 4.2 (tfsserver2015.4.2.exe) I get error "Stop Block: Dev14_LanguageInstall : The currently installed version of Team Foundation Server is a different language. There can only be one language of Team Foundation Server installed." This is because the setups wants to find HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DevDiv\tfs\Servicing\14.0\serverCore\1033 (English) but it finds HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\DevDiv\tfs\Servicing\14.0\serverCore\3082 (Spanish)

    So, where can I download TFS 2015 Update 4.2...

    Read more
  • Иван Мидович

    Why you not update version in console TFS?..

  • Kelly, John

    Everytime I run one of these patches for 2017 the output is a bunch of "Waiting on process NNNNN (XXX seconds elapsed)" for several minutes, sporadic exceptions, waiting for the pool to stop for several more minutes, a final flurry of activity I suspect is that actual update running, and then the installer completes. I expect it to take several minutes and throw several exceptions and yet still 'succeed'.
    Are the 2018 and 2019 installers...

    Read more
  • Mills, Charles

    I ran this against our server with 2017 3.1 and we now get an error starting up the TFS administration console saying that “There was an exception while launching the Team Foundation Administration Console: Could not load file or assembly ‘Microsoft.TeamFoundation.Framework.Server, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)”. Any thoughts?

  • anonymous

    this comment has been deleted.

    • Erin DormierMicrosoft employee Author

      Hi Aditya,

      These are only applicable to the on premises environments. All vulnerabilities that impacted our cloud service have already been addressed, so no action is needed for the service.

      • anonymous

        this comment has been deleted.

  • Giulio Vian

    @Erin, will these patches included in the ISO images downloadable from MSDN etc? If so, will take a long time? TIA

    • Erin DormierMicrosoft employee Author

      Hi Giulio,

      No, these won’t be included in the MSDN/VS Subscription ISOs. You’ll have to apply these patches over the installations you do with the VS subscription ISOs.

      • Markus

        But only the latest patch, all predecessors are included, right?

      • Erin DormierMicrosoft employee Author

        Correct. All of the patches include all the fixes from previous patches.

  • Markus

    When will be the groundbreaking feature implemented for an unattend installation from patches?

    • Erin DormierMicrosoft employee Author

      🙂 We expect it to be available for the May security release. 

  • Corné Wevers

    Hi, I just installed this patch on two of our test Azure Devops 2019 servers. On both servers the installation succeeded but it encountered a timeout exception while waiting for the application pool to have succesfully stopped. It doesn’t seem to correctly detect that the pool has stopped so it’ll hit the timeout. When retrying it’ll instantly detect that the pool has stopped and continue with applying the patch.

    • Erin DormierMicrosoft employee Author

      Hello Corné,

      I found out some information from my collegue, Matt.

      Sorry that you ran into problems with the install.  There are some rare cases where we don’t correctly detect that everything has stopped.  In those cases, re-running the patch is the correct response, and it will correctly update the files and then restart the server.

  • Daniel Stefanescu

    Tried to apply the patch on a TFS2018 Update 3.2 Patch 2:Error patching files: System.UnauthorizedAccessException: Access to the path ‘C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\TFSJobAgent\Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.dll’ is denied.

    • Daniel Stefanescu

      The current version of C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll is 16.131.28626.3 (I applied yesterday tfs2018.3.2patch2.exe)

      • Erin DormierMicrosoft employee Author

        Hi Daniel,

        For TFS 2018 Update 3.2, it should be patch 3. Can you confirm you installed tfs2018.3.2patch3.exe, not patch2? Are you still having the System.UnauthorizedAccessException issue?

  • Long Pham

    For TFS 2015 Update 4.2 is there an express version available? tfsexpress2015.4.2.exe

      • Long Pham

        Thanks for the link. The install failed with “A setup package is either missing or damaged.” Since this is a web installer looks like its failing to download some packages during install. thanks,

      • Erin DormierMicrosoft employee Author

        I’m taking a look. In the meantime, can you get unblocked by downloading the ISO?

      • Bob S.

        Had the same issue with the TFS 2015 Web Install, had to use the ISO to update without the error.