September patches for Azure DevOps Server and Team Foundation Server

Gloridel Morales

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.

The following versions of the products have been patched. Check out the links for each version for more details.

Azure DevOps Server 2022.0.1 Patch 3

Note: If you have Azure DevOps Server 2022, you should first update to Azure DevOps Server 2022.0.1 and then install install Azure DevOps Server 2022.0.1 Patch 3. If you have Azure DevOps 2022 and installed Patch 4, take a look at this post from the Developer Community before you install this patch.

If you have Azure DevOps Server 2022.0.1, you should install Azure DevOps Server 2022.0.1 Patch 3.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.
  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2022.0.1patch3.exe CheckInstall, devops2022.0.1patch3.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.1.2 Patch 8

If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 8.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2020.1.2patch8.exe CheckInstall, devops2020.1.2patch8.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.0.2 Patch 4

If you have Azure DevOps Server 2020.0.1, you should first update to Azure DevOps Server 2020.0.2. Once on Update 2020.0.2, install Azure DevOps Server 2020.0.2 Patch 4.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2020.0.2patch4.exe CheckInstall, devops2020.0.2patch4.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.1.2 Patch 5

If you have Azure DevOps Server 2019.1.1, you should first update to Azure DevOps Server 2019.1.2. Once on Update 2019.1.2, install Azure DevOps Server 2019.1.2 Patch 5.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2019.1.2patch5.exe CheckInstall, devops2019.1.2patch5.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.0.1 Patch 15

If you have Azure DevOps Server 2019.0.1, you should install Azure DevOps Server 2019.0.1 Patch 15.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2019.0.1patch15.exe CheckInstall, devops2019.0.1patch15.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Team Foundation Server 2018.3.2 Patch 18

If you have Team Foundation Server 2018.3.2, you should install Team Foundation Server 2018.3.2 Patch 18.

Release notes

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

5 comments

Leave a comment

  • Fokko V. 1

    It seems like the installer file 2022.0.1 Patch 3 has the same File version/Product version as 2022.0.1 Patch 2 (19.205.33921.2). Can you please check? I keep track of a list of all versions (https://github.com/FokkoVeegens/AzureDevOpsServerVersions), hence I discovered this.
    Another thing that seems strange to me is the fact that you state “If you have Team Foundation Server 2018.3.2, you should install Team Foundation Server 2018.3.2 Patch 17.”. 2018.3.2 Patch 17 was released on May 17th, 2022. It seems more logical to give this a new patch number, although it’s only the agent version that needs to be updated.

    • Gloridel MoralesMicrosoft employee 1

      Hi! Thank you for pointing this out. I have updated the link for the Azure DevOps Server 2022.0.1 patch and the file version should be 19.205.34025.4.

  • Andrej Guštin 0

    The release notes for DevOps Server 2020 Update 1.2 mentions updating some tasks via TFX. The tasks should be in Tasks_20230825.zip, howewer a link to the mentioned file is nowhere to be found.

  • Crawford Evans 0

    Thank you for this support. Will this server help with AI use?

Feedback usabilla icon