Updated: Azure DevOps Server and Team Foundation Server patches

Gloridel Morales

With this patch cycle, we are releasing fixes that impact our self-hosted product, Azure DevOps Server, as well as Team Foundation Server 2018.3.2. Please see the release notes for additional installation instructions.

The following will be fixed with this patch:

  • Upgraded search plugins to use log4j core version 2.17.1.

2/23 Update: If Azure DevOps Server/TFS and Elasticsearch are installed on different machines, follow the steps outlined below.

  1. Upgrade the server with the latest patch.

  2. Check the registry value at HKLM:\Software\Elasticsearch\Version on the ElasticSearch server machine. Update the registry value to 5.4.1, this value is irrespective if you have higher version of ElasticSearch. If the registry value is not there, add a string value and set the Version to 5.4.1 (Name = Version, Value = 5.4.1). You will have to reindex the collection after the patch if there was no registry value.

  3. Copy the content of the folder named zip, located on C:\Program Files{TFS Version Folder}\Search\zip to the Elasticsearch remote file folder.

  4. Run Configure-TFSSearch.ps1 -Operation update on the Elasticsearch server machine.

2/17 Update: Do not update Log4 jar file manually to 2.17.1, this is unsupported and will cause Elasticsearch to not work properly or break.

2/8 Update: The addition of the plugins upgrading to 2.17.1 was incorrect and we apologize for the confusion that this caused. Currently, using Configure-TFS is the only supported means to update Elasticsearch. We are in the process of validating the patches on a more comprehensive configuration matrix including installation of Elasticsearch on a separate machine and will update the release notes and/or patches in the next few days.

  • Addressed Elasticsearch vulnerability by removing the jndilookup class from log4j binaries.
  • Email notifications were not sent when using the @mention control in a work item.
  • Preferred email address was not getting updated in user profile.
  • Header was not shown in the Project Summary page.
  • Improvement to Active Directory user sync.

Azure DevOps Server 2020.1.1 Patch 4

If you have Azure DevOps Server 2020.1.1, you should install Azure DevOps Server 2020.1.1 Patch 4. Check out the release notes for more details.

Verifying Installation

  • Option 1: Run devops2020.1.1patch4.exe CheckInstall, devops2020.1.1patch4.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed.

  • Option 2: Check the version of the following file: [INSTALL_DIR]\Azure DevOps Server 2020\Application Tier\bin\Microsoft.Teamfoundation.Framework.Server.dll. Azure DevOps Server 2020.1.1 is installed to c:\Program Files\Azure DevOps Server 2020 by default. After installing Azure DevOps Server 2020.1.1 Patch 4, the version will be 18.181.32118.5.

Azure DevOps Server 2020.0.1 Patch 9

If you have Azure DevOps Server 2020.0.1, you should install Azure DevOps Server 2020.0.1 Patch 9. Check out the release notes for more details.

Verifying Installation

  • Option 1: Run devops2020.0.1patch9.exe CheckInstall, devops2020.0.1patch9.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed.

  • Option 2: Check the version of the following file: [INSTALL_DIR]\Azure DevOps Server 2020\Application Tier\bin\Microsoft.Teamfoundation.Framework.Server.dll. Azure DevOps Server 2020.0.1 is installed to c:\Program Files\Azure DevOps Server 2020 by default. After installing Azure DevOps Server 2020.0.1 Patch 9, the version will be 18.17032118.4.

Azure DevOps Server 2019.1.1 Patch 13

If you have Azure DevOps Server 2019 Update 1.1, you should install Azure DevOps Server 2019 Update 1.1 Patch 13. Check out the release notes for more details

Verifying Installation

  • Option 1: Run devops2019.1.1patch13.exe CheckInstall. devops2019.1.1patch13.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed.

  • Option 2: Check the version of the following file: [INSTALL_DIR]\Azure DevOps Server 2019\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Feed.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default. After installing Azure DevOps Server 2019.1.1 Patch 13, the version will be 17.153.32118.3.

Azure DevOps Server 2019.0.1 Patch 12

If you have Azure DevOps Server 2019, you should first update to Azure DevOps Server 2019.0.1. Once on 2019.0.1, install Azure DevOps Server 2019.0.1 Patch 12. Check out the release notes for more details.

Verifying Installation

  • Option 1: Run devops2019.0.1patch12.exe CheckInstall. devops2019.1.1patch12.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed.

  • Option 2: Check the version of the following file: [INSTALL_DIR]\Azure DevOps Server 2019\Application Tier\Web Services\bin\Microsoft.VisualStudio.Services.Feed.Server.dll. Azure DevOps Server 2019 is installed to c:\Program Files\Azure DevOps Server 2019 by default. After installing Azure DevOps Server 2019.0.1 Patch 12, the version will be 17.143.32118.2.

TFS 2018 Update 3.2 Patch 16

If you have TFS 2018 Update 2 or Update 3, you should first update to TFS 2018 Update 3.2. Once on Update 3.2, install TFS 2018 Update 3.2 Patch 16. Check out the release notes for more details

Verifying Installation

  • Option 1: Run tfs2018.3.2patch16.exe CheckInstall, tfs2018.3.2patch16.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that is not installed.

  • Option 2: Check the version of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.WorkItemTracking.Web.dll. TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default. After installing TFS 2018 Update 3.2 Patch 16, the version will be 16.131.32118.1.

Last updated: 2/23/2022 @ 6:25 pm PST

45 comments

Comments are closed. Login to edit/delete your existing comments

  • Kamlesh Kumawat 0

    Could you please help, it is confusing if remediation for Log4J is in place. I followed the latest instructions for patch “Azure DevOps Server 2019.1.1 Patch 13” and it has been installed; I can verify “Azure DevOps Server 2019.1.1 Patch 13, the version will be 17.153.32118.3.”

    Though the “C:\Program Files\Azure DevOps Server 2019\Search\ES\elasticsearchv6.2\lib” directory still has same Log4J version as “log4j-core-2.9.1”. My expectation was it will updated to newer version.

    Thanks!

  • Andrew Kanieski 0

    In case anyone has a problem and you run into this error where it thinks your NOT running 64 Bit Java.. I noticed that with IBM Semeru java -version returns the text “64-Bit” .. instead of the “64-bit” that the ./modules/JavaHelper.psm1 is expecting around line 44. You may need to comment out accordingly.. assuming you’re sure you are indeed running 64bit Java:

                #if ($words -contains "64-bit")
                #{
                    $ret.Is64Bit = $true
                #}

    I think Powershell’s -contains operator should be case insensitive by default but perhaps there is some bad character hidden in there.. but commenting out that if check allowed us to continue.

  • Virantha T 0

    Hi Gloridel,

    We are running a single server Azure DevOps 2020 – 18.181.31626.1 (Azure DevOps Server 2020 Update 1.1)
    Update 4 was applied, however our M365 Defender report shows the vulnerability against the files below:
    C:\Program Files\Azure DevOps Server 2020\Search\ES\elasticsearchv6.2\lib\log4j-1.2-api-2.9.1.jar
    C:\Program Files\Azure DevOps Server 2020\Search\ES\elasticsearchv6.2\lib\log4j-core-2.9.1.jar

    Please advice if the M365 Defender report is to be ignored? or has the Update 4 not been applied properly?

    Thanks.

Feedback usabilla icon