September 12th, 2023

September patches for Azure DevOps Server and Team Foundation Server

Gloridel Morales
Senior Technical Program Manager

This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server.

The following versions of the products have been patched. Check out the links for each version for more details.

Azure DevOps Server 2022.0.1 Patch 3

Update: If you downloaded patch 3 for Azure DevOps Server 2022.0.1 on September 12, you must download patch 3 again. The links published on September 12 were downloading patch 2 instead of patch 3. If you already installed patch 4 published on October 10, you don’t have to reinstall patch 3 since patches are cumulative and include changes for previously released patches.

Note: If you have Azure DevOps Server 2022, you should first update to Azure DevOps Server 2022.0.1 and then install install Azure DevOps Server 2022.0.1 Patch 3. If you have Azure DevOps 2022 and installed Patch 4, take a look at this post from the Developer Community before you install this patch.

If you have Azure DevOps Server 2022.0.1, you should install Azure DevOps Server 2022.0.1 Patch 3. This patch includes updates to the Azure Pipelines agent. The updated version of the agent after installing Patch 4 will be 3.225.0.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.
  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2022.0.1patch3.exe CheckInstall, devops2022.0.1patch3.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.1.2 Patch 8

If you have Azure DevOps Server 2020.1.1, you should first update to Azure DevOps Server 2020.1.2. Once on 2020.1.2, install Azure DevOps Server 2020.1.2 Patch 8.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2020.1.2patch8.exe CheckInstall, devops2020.1.2patch8.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2020.0.2 Patch 4

If you have Azure DevOps Server 2020.0.1, you should first update to Azure DevOps Server 2020.0.2. Once on Update 2020.0.2, install Azure DevOps Server 2020.0.2 Patch 4.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2020.0.2patch4.exe CheckInstall, devops2020.0.2patch4.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.1.2 Patch 5

If you have Azure DevOps Server 2019.1.1, you should first update to Azure DevOps Server 2019.1.2. Once on Update 2019.1.2, install Azure DevOps Server 2019.1.2 Patch 5.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2019.1.2patch5.exe CheckInstall, devops2019.1.2patch5.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Azure DevOps Server 2019.0.1 Patch 15

If you have Azure DevOps Server 2019.0.1, you should install Azure DevOps Server 2019.0.1 Patch 15.

Release notes

  • CVE-2023-33136 – Azure DevOps Server Remote Code Execution Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Verifying Installation

  • Run devops2019.0.1patch15.exe CheckInstall, devops2019.0.1patch15.exe is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.

Team Foundation Server 2018.3.2 Patch 18

If you have Team Foundation Server 2018.3.2, you should install Team Foundation Server 2018.3.2 Patch 18.

Release notes

  • CVE-2023-38155 – Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.

Note: To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.

Author

Gloridel Morales
Senior Technical Program Manager

Gloridel is a Senior Technical Program Manager on the Azure DevOps team.

13 comments

Discussion is closed. Login to edit/delete existing comments.

  • Kohl, Franz

    I just tried to install devops2022.0.1patch3.exe on Azure DevOps Server 2022.0.1, but it failed with the statement "This patch does not apply to Azure DevOps Server version 19.205.33122.1.".

    I ran devops2022.0.1patch3.exe CheckInstall before, and it clearly states that the patch is not installed on this App Tier. It also does not claim that this patch would not be eligible for this App Tier. ADS is running on Windows Server 2019 Std. with SQL Server 2019 Ent.,...

    Read more
    • Gloridel MoralesMicrosoft employee Author

      Hi Franz, 19.205.33122.1 corresponds to Azure DevOps Server 2022 so devops2022.0.1patch3.exe is not applicable to this version of the product. You should first update to Azure DevOps Server 2022.0.1 to install devops2022.0.1patch3.exe.
      We do have a known issue if you have Azure DevOps 2022 and installed patch 4, take a look at this post from the Developer Community for details.

      • Kohl, Franz

        Hi Gloridel, thanks a lot for your timely and helpful answer! In fact, I discovered that I’ve downloaded and installed the RTM version of ADS 2022, while I thought I had downloaded and installed 2022.0.1… 🙄. Now I’ve downloaded the correct version 2022.0.1, upgraded the RTM version and was able to successfully install devops2022.0.1patch3.exe a few minutes ago 👍😊. Thanks once more! 🤝

  • Curt Koch

    We decided to press forward. The Tasks_20230825.zip file contains AzureFileCopyV1.1.226.3.zip but the release notes don’t list it in the commands to run. Please advise. Thank you

    • Patrick Woo-SamMicrosoft employee

      Hi Curt, thank you for bringing this to our attention. The AzureFileCopyV1.1.226.3.zip task should be updated using the tfx tool.

      I will update the docs to reflect that AzureFileCopyV1.1.226.3.zip should be updated.

  • Curt Koch · Edited

    We unfortunately don’t have a test environment so this patch would be going directly into production. For 2019 1.2 Patch 5 can we first apply patch5, then test, then update the agent, test again, and then finally update the tasks? Or does everything have to be done at once for things to work correctly together?

  • Crawford Evans

    Thank you for this support. Will this server help with AI use?

    • Gloridel MoralesMicrosoft employee Author

      Hi Crawford, can you share some examples of AI scenarios that you want to have in Azure DevOps Server?

  • Andrej Guštin · Edited

    The release notes for DevOps Server 2020 Update 1.2 mentions updating some tasks via TFX. The tasks should be in Tasks_20230825.zip, howewer a link to the mentioned file is nowhere to be found.

    • Gloridel MoralesMicrosoft employee Author

      Hi Andrej, thank you for reporting this. You can download the zip file from Tasks_20230825.zip. I will update the release notes to include the link.

      • Your comment is awaiting moderation.
        anonymous · Edited

        this comment has been deleted.

  • Fokko V. · Edited

    It seems like the installer file 2022.0.1 Patch 3 has the same File version/Product version as 2022.0.1 Patch 2 (19.205.33921.2). Can you please check? I keep track of a list of all versions (https://github.com/FokkoVeegens/AzureDevOpsServerVersions), hence I discovered this.
    Another thing that seems strange to me is the fact that you state "If you have Team Foundation Server 2018.3.2, you should install Team Foundation Server 2018.3.2 Patch 17.". 2018.3.2 Patch 17 was released on May 17th,...

    Read more
    • Gloridel MoralesMicrosoft employee Author

      Hi! Thank you for pointing this out. I have updated the link for the Azure DevOps Server 2022.0.1 patch and the file version should be 19.205.34025.4.