Today, we are releasing updates for a cross site scripting (XSS) vulnerability and an issue where in some instances task groups may incorrectly show variables that are marked as secret. Team Foundation Server 2017 and 2018 are impacted. We have released patches for TFS 2017 Update 3.1 and TFS 2018 Update 1.2. We have also released TFS 2018 Update 3.2, which is a full install that includes these fixes.
**TFS 2017 **Customers on TFS 2017 should upgrade to TFS 2017 Update 3.1 and then install the TFS 2017 Update 3.1 patch. This patch includes the previous fix detailed in this blog post.
To verify if you have a patch installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll
TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.
After installing patch for TFS 2017 Update 3.1, the version should be 15.117.28504.0
**TFS 2018 ***TFS 2018 RTW, Update 1, or Update 1.1:* Upgrade to TFS 2018 Update 1.2 and then install the TFS 2018 Update 1.2 patch. Previous security patches are included in TFS 2018 Update 1.2.
TFS 2018 Update 2, Update 3, Update 3.1, or who would like to be on the latest version of TFS: Upgrade to TFS 2018 Update 3.2, which includes these fixes. In addition to the security fixes, Update 3.2 includes fixes for other bugs. See the release notes for details.
Here are the TFS 2018 Update 3.2 links: TFS 2018.3 Release Notes TFS 2018.3.2 Web Installer TFS 2018.3.2 ISO TFS 2018.3.2 Express Web Installer TFS 2018.3.2 Express ISO
To verify if you have the fixes installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll
TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.
After installing the patch for TFS 2018 Update 1.2, the version should be 16.122.28512.1. After installing TFS 2018 Update 3.2, the version should be 16.131.28507.4 or 16.131.28601.4 (our re-released version).
Azure DevOps Server 2019 These vulnerabilities exist in Azure DevOps Server 2019 RC1. They will be fixed in RC2 which we plan to release later this month.
Hi Erin, I just installed the update 3.2 on TFS 2018. You are suggesting that the version should be 16.131.28507.4, however, I actually see the version set to 16.131.28601.4. Is there an official MS list of all of the versions of TFS and AzDO server? Thanks
Hi Mario,
After this blog post, we ended up re-releasing TFS 2018 Update 3.2. The re-release is 16.131.28601.4, so you have the correct version. You can see all server versions here: https://docs.microsoft.com/en-us/azure/devops/release-notes/features-timeline#server-build-numbers. I’ll also update this blog post.
Thanks,
Erin