January 15th, 2019

Team Foundation Server Security Updates

Erin Dormier
Principal Program Manager

Today, we are releasing updates for a cross site scripting (XSS) vulnerability and an issue where in some instances task groups may incorrectly show variables that are marked as secret. Team Foundation Server 2017 and 2018 are impacted. We have released patches for TFS 2017 Update 3.1 and TFS 2018 Update 1.2. We have also released TFS 2018 Update 3.2, which is a full install that includes these fixes.

**TFS 2017 **Customers on TFS 2017 should upgrade to TFS 2017 Update 3.1 and then install the TFS 2017 Update 3.1 patch. This patch includes the previous fix detailed in this blog post.

To verify if you have a patch installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll

TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing patch for TFS 2017 Update 3.1, the version should be 15.117.28504.0

**TFS 2018 ***TFS 2018 RTW, Update 1, or Update 1.1:* Upgrade to TFS 2018 Update 1.2 and then install the TFS 2018 Update 1.2 patch. Previous security patches are included in TFS 2018 Update 1.2.

TFS 2018 Update 2, Update 3, Update 3.1, or who would like to be on the latest version of TFS: Upgrade to TFS 2018 Update 3.2, which includes these fixes. In addition to the security fixes, Update 3.2 includes fixes for other bugs. See the release notes for details.

Here are the TFS 2018 Update 3.2 links: TFS 2018.3 Release Notes TFS 2018.3.2 Web Installer TFS 2018.3.2 ISO TFS 2018.3.2 Express Web Installer TFS 2018.3.2 Express ISO

To verify if you have the fixes installed, you can check the versions of the following file: [TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll

TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing the patch for TFS 2018 Update 1.2, the version should be 16.122.28512.1. After installing TFS 2018 Update 3.2, the version should be 16.131.28507.4 or 16.131.28601.4 (our re-released version).

Azure DevOps Server 2019 These vulnerabilities exist in Azure DevOps Server 2019 RC1. They will be fixed in RC2 which we plan to release later this month.

Author

Erin Dormier
Principal Program Manager

2 comments

Discussion is closed. Login to edit/delete existing comments.

  • Mario Majcica

    Hi Erin, I just installed the update 3.2 on TFS 2018. You are suggesting that the version should be 16.131.28507.4, however, I actually see the version set to 16.131.28601.4. Is there an official MS list of all of the versions of TFS and AzDO server? Thanks