April Security Release: Patches available for Azure DevOps Server 2019, TFS 2018.3.2, TFS 2018.1.2, TFS 2017.3.1, and the release of TFS 2015.4.2

Erin

For the April security release, we are releasing fixes for vulnerabilities that impact Azure DevOps Server 2019, TFS 2018, TFS 2017, and TFS 2015. These vulnerabilities were found through our Azure DevOps Bounty Program. Thanks to everyone who has been participating in this program.

CVE-2019-0857: spoofing vulnerability in the Wiki

CVE-2019-0866: remote code execution vulnerability in Pipelines

CVE-2019-0867: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0868: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0869: HTML injection vulnerability in Pipelines

CVE-2019-0870: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0871: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0874: cross site scripting (XSS) vulnerability in Pipelines

CVE-2019-0875: elevation of privilege vulnerability in Boards

Azure DevOps Server 2019 Patch 1

If you have Azure DevOps Server 2019, you should install Azure DevOps Server 2019 Patch 1.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.VersionControl.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default.

After installing Azure DevOps Server 2019 Patch 1, the version will be 17.143.28804.3.

TFS 2018 Update 3.2 Patch 3

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 3.2 Patch 3, the version will be 16.131.28728.4.

TFS 2018 Update 1.2 Patch 3

If you have TFS 2018 RTW or Update 1, you should first update to TFS 2018 Update 1.2. Once on Update 1.2, install TFS 2018 Update 1.2 Patch 3.

Verifying Installation

To verify if you have this update installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing TFS 2018 Update 1.2 Patch 3, the version will be 16.122.28801.2.

TFS 2017 Update 3.1 Patch 4

If you have TFS 2017, you should first update to TFS 2017 Update 3.1. Once on Update 3.1, install TFS 2017 Update 3.1 Patch 4.

Verifying Installation

To verify if you have a patch installed, you can check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll. TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing TFS 2017 Update 3.1 Patch 4, the version will be 15.117.28728.0.

TFS 2015 Update 4.2

If you are on TFS 2015, you should upgrade to TFS 2015 Update 4.2 with the ISO or Web Install. For TFS 2015 Update 4.2 Express, you can upgrade with the ISO or Web Install. This is a full upgrade and will require you to run the Upgrade Wizard.

27 comments

Comments are closed. Login to edit/delete your existing comments

  • Daniel Steiner

    why do I need to login to see the CVEs but a normal Live account does not work?

  • Long Pham

    For TFS 2015 Update 4.2 is there an express version available? tfsexpress2015.4.2.exe

  • Daniel Stefanescu

    Tried to apply the patch on a TFS2018 Update 3.2 Patch 2:Error patching files: System.UnauthorizedAccessException: Access to the path ‘C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\TFSJobAgent\Microsoft.TeamFoundation.DistributedTask.Orchestration.Server.dll’ is denied.

    • Daniel Stefanescu

      The current version of C:\Program Files\Microsoft Team Foundation Server 2018\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll is 16.131.28626.3 (I applied yesterday tfs2018.3.2patch2.exe)

      • Erin DormierMicrosoft employee

        Hi Daniel,

        For TFS 2018 Update 3.2, it should be patch 3. Can you confirm you installed tfs2018.3.2patch3.exe, not patch2? Are you still having the System.UnauthorizedAccessException issue?

  • Corné Wevers

    Hi, I just installed this patch on two of our test Azure Devops 2019 servers. On both servers the installation succeeded but it encountered a timeout exception while waiting for the application pool to have succesfully stopped. It doesn’t seem to correctly detect that the pool has stopped so it’ll hit the timeout. When retrying it’ll instantly detect that the pool has stopped and continue with applying the patch.

    • Erin DormierMicrosoft employee

      Hello Corné,

      I found out some information from my collegue, Matt.

      Sorry that you ran into problems with the install.  There are some rare cases where we don’t correctly detect that everything has stopped.  In those cases, re-running the patch is the correct response, and it will correctly update the files and then restart the server.

  • Markus

    When will be the groundbreaking feature implemented for an unattend installation from patches?

  • Giulio Vian

    @Erin, will these patches included in the ISO images downloadable from MSDN etc? If so, will take a long time? TIA

    • Erin DormierMicrosoft employee

      Hi Giulio,

      No, these won’t be included in the MSDN/VS Subscription ISOs. You’ll have to apply these patches over the installations you do with the VS subscription ISOs.

  • ADITYA JAMKHANDE

    Hello Erin,

    Thank you for the detailed description. I have a question which may sound silly. But are these patches applicable on the cloud or on the on prem environment?
    Thank you

    • Erin DormierMicrosoft employee

      Hi Aditya,

      These are only applicable to the on premises environments. All vulnerabilities that impacted our cloud service have already been addressed, so no action is needed for the service.

  • Mills, Charles

    I ran this against our server with 2017 3.1 and we now get an error starting up the TFS administration console saying that “There was an exception while launching the Team Foundation Administration Console: Could not load file or assembly ‘Microsoft.TeamFoundation.Framework.Server, Version=11.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The located assembly’s manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)”. Any thoughts?

  • Kelly, John

    Everytime I run one of these patches for 2017 the output is a bunch of “Waiting on process NNNNN (XXX seconds elapsed)” for several minutes, sporadic exceptions, waiting for the pool to stop for several more minutes, a final flurry of activity I suspect is that actual update running, and then the installer completes. I expect it to take several minutes and throw several exceptions and yet still ‘succeed’.
    Are the 2018 and 2019 installers markedly better than the 2017 installer in this regard? Is this motivation to move to 2019 or just what I should expect with these installs?