Team Foundation Server Security Updates

Erin Dormier

Erin

Today, we are releasing updates for a cross site scripting (XSS) vulnerability and an issue where in some instances task groups may incorrectly show variables that are marked as secret. Team Foundation Server 2017 and 2018 are impacted. We have released patches for TFS 2017 Update 3.1 and TFS 2018 Update 1.2. We have also released TFS 2018 Update 3.2, which is a full install that includes these fixes.

TFS 2017
Customers on TFS 2017 should upgrade to TFS 2017 Update 3.1 and then install the TFS 2017 Update 3.1 patch. This patch includes the previous fix detailed in this blog post.

To verify if you have a patch installed, you can check the versions of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll

TFS 2017 is installed to c:\Program Files\Microsoft Team Foundation Server 15.0 by default.

After installing patch for TFS 2017 Update 3.1, the version should be 15.117.28504.0

TFS 2018
TFS 2018 RTW, Update 1, or Update 1.1: Upgrade to TFS 2018 Update 1.2 and then install the TFS 2018 Update 1.2 patch. Previous security patches are included in TFS 2018 Update 1.2.

TFS 2018 Update 2, Update 3, Update 3.1, or who would like to be on the latest version of TFS: Upgrade to TFS 2018 Update 3.2, which includes these fixes. In addition to the security fixes, Update 3.2 includes fixes for other bugs. See the release notes for details.

Here are the TFS 2018 Update 3.2 links:
TFS 2018.3 Release Notes
TFS 2018.3.2 Web Installer
TFS 2018.3.2 ISO
TFS 2018.3.2 Express Web Installer
TFS 2018.3.2 Express ISO

To verify if you have the fixes installed, you can check the versions of the following file:
[TFS_INSTALL_DIR]\Application Tier\Web Services\bin\Microsoft.TeamFoundation.Server.WebAccess.Admin.dll

TFS 2018 is installed to c:\Program Files\Microsoft Team Foundation Server 2018 by default.

After installing the patch for TFS 2018 Update 1.2, the version should be 16.122.28512.1.
After installing TFS 2018 Update 3.2, the version should be 16.131.28507.4.

Azure DevOps Server 2019
These vulnerabilities exist in Azure DevOps Server 2019 RC1. They will be fixed in RC2 which we plan to release later this month.

Erin Dormier
Erin Dormier

Principal Program Manager, Azure DevOps

Follow Erin   

No Comments.