April Security Release: Patches available for Azure DevOps Server 2019, TFS 2018.3.2, TFS 2018.1.2, TFS 2017.3.1, and the release of TFS 2015.4.2

Erin Dormier

Erin

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program.

CVE-2019-0857: spoofing vulnerability in the Wiki

CVE-2019-0866: remote code execution vulnerability in Pipelines

CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0869: HTML injection vulnerability in Pipelines

CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0875: elevation of privilege vulnerability in Boards

Azure DevOps Server 2019 Patch 1

If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019 Patch 1, the version will be 17.143.28804.3.

TFS 2018 Update 3.2 Patch 3

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 3, the version will be 16.131.28728.4.

TFS 2018 Update 1.2 Patch 3

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 3, the version will be 16.122.28801.2.

TFS 2017 Update 3.1 Patch 4

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 4.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 4, the version will be 15.117.28728.0.

TFS 2015 Update 4.2

If you are on TFS 2015, you should upgrade to TFS 2015 Update 4.2 with the ISO or Web Install. For TFS 2015 Update 4.2 Express, you can upgrade with the ISO or Web Install. This is a full upgrade and will require you to run the Upgrade Wizard.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

25 comments

  • Avatar
    Daniel Stefanescu

    Tried to apply the patch on a TFS2018 Update 3.2 Patch 2:Error patching files: System.UnauthorizedAccessException: Access to the path ‘C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\TFSJobAgent\Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.dll’ is denied.

    • Avatar
      Daniel Stefanescu

      The current version of C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll is 16.131.28626.3 (I applied yesterday tfs2018.3.2patch2.exe)

      • Erin Dormier
        Erin Dormier

        Hi Daniel,

        For TFS 2018 Update 3.2, it should be patch 3. Can you confirm you installed tfs2018.3.2patch3.exe, not patch2? Are you still having the System.UnauthorizedAccessException issue?

  • Avatar
    Corné Wevers

    Hi, I just installed this patch on two of our test Azure Devops 2019 servers. On both servers the installation succeeded but it encountered a timeout exception while waiting for the application pool to have succesfully stopped. It doesn’t seem to correctly detect that the pool has stopped so it’ll hit the timeout. When retrying it’ll instantly detect that the pool has stopped and continue with applying the patch.

    • Erin Dormier
      Erin Dormier

      Hello Corné,

      I found out some information from my collegue, Matt.

      Sorry that you ran into problems with the install.  There are some rare cases where we don’t correctly detect that everything has stopped.  In those cases, re-running the patch is the correct response, and it will correctly update the files and then restart the server.

  • ADITYA JAMKHANDE
    ADITYA JAMKHANDE

    Hello Erin,

    Thank you for the detailed description. I have a question which may sound silly. But are these patches applicable on the cloud or on the on prem environment?
    Thank you

  • Avatar
    Mills, Charles

    I ran this against our server with 2017 3.1 and we now get an error starting up the TFS administration console saying that “There was an exception while launching the Team Foundation Administration Console: Could not load file or assembly ‘Microsoft.TeamFoundation.Framework.Server, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)”. Any thoughts?

  • Avatar
    Kelly, John

    Everytime I run one of these patches for 2017 the output is a bunch of “Waiting on process NNNNN (XXX seconds elapsed)” for several minutes, sporadic exceptions, waiting for the pool to stop for several more minutes, a final flurry of activity I suspect is that actual update running, and then the installer completes. I expect it to take several minutes and throw several exceptions and yet still ‘succeed’.
    Are the 2018 and 2019 installers markedly better than the 2017 installer in this regard? Is this motivation to move to 2019 or just what I should expect with these installs?

Leave a comment