{"id":67525,"date":"2023-09-12T11:08:53","date_gmt":"2023-09-12T19:08:53","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=67525"},"modified":"2023-10-30T20:12:31","modified_gmt":"2023-10-31T04:12:31","slug":"september-patches-for-azure-devops-server-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/","title":{"rendered":"September patches for Azure DevOps Server and Team Foundation Server"},"content":{"rendered":"<p>This month, we are releasing fixes that impact our self-hosted product, <a href=\"https:\/\/azure.microsoft.com\/services\/devops\/server\/\" rel=\"noopener\" target=\"_blank\">Azure DevOps Server<\/a>.<\/p>\n<p>The following versions of the products have been patched. Check out the links for each version for more details.<\/p>\n<ul>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#azure-devops-server-2022-0-1-patch-3\">Azure DevOps Server 2022.0.1<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#azure-devops-server-2020-1-2-patch-8\">Azure DevOps Server 2020.1.2<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#azure-devops-server-2020-0-2-patch-4\">Azure DevOps Server 2020.0.2<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#azure-devops-server-2019-1-2-patch-5\">Azure DevOps Server 2019.1.2<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#azure-devops-server-2019-0-1-patch-15\">Azure DevOps Server 2019.0.1<\/a><\/p>\n<\/li>\n<li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/september-patches-for-azure-devops-server-2\/#team-foundation-server-2018-3-2-patch-17\">Team Foundation Server 2018.3.2<\/a><\/p>\n<\/li>\n<\/ul>\n<h3>Azure DevOps Server 2022.0.1 Patch 3<\/h3>\n<p><strong>Update:<\/strong> If you downloaded patch 3 for Azure DevOps Server 2022.0.1 on September 12, you must download patch 3 again. The links published on September 12 were downloading patch 2 instead of patch 3. If you already installed patch 4 published on October 10, you don&#8217;t have to reinstall patch 3 since patches are cumulative and include changes for previously released patches.<\/p>\n<blockquote>\n<p><strong>Note:<\/strong> If you have Azure DevOps Server 2022, you should first update to <a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=2227611\">Azure DevOps Server 2022.0.1<\/a> and then install install <a href=\"https:\/\/aka.ms\/devops2022.0.1patch3\">Azure DevOps Server 2022.0.1 Patch 3<\/a>. If you have Azure DevOps 2022 and installed Patch 4, take a look at <a href=\"https:\/\/developercommunity.visualstudio.com\/t\/202201-upgrade-failure---Could-not-loa\/10444816#T-N10450536\">this post from the Developer Community<\/a> before you install this patch.<\/p>\n<\/blockquote>\n<p>If you have Azure DevOps Server 2022.0.1, you should install <a href=\"https:\/\/aka.ms\/devops2022.0.1patch3\">Azure DevOps Server 2022.0.1 Patch 3<\/a>. This patch includes updates to the Azure Pipelines agent. The updated version of the agent after installing Patch 4 will be 3.225.0.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/server\/release-notes\/azuredevops2022?view=azure-devops#azure-devops-server-2022-update-01-patch-3-release-date-september-12-2023\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33136\">CVE-2023-33136<\/a> \u2013 Azure DevOps Server Remote Code Execution Vulnerability.<\/li>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.<\/li>\n<\/ul>\n<p><strong>Verifying Installation<\/strong><\/p>\n<ul>\n<li>Run <code>devops2022.0.1patch3.exe CheckInstall<\/code>, <code>devops2022.0.1patch3.exe<\/code> is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed. <\/li>\n<\/ul>\n<h3>Azure DevOps Server 2020.1.2 Patch 8<\/h3>\n<p>If you have Azure DevOps Server 2020.1.1, you should first update to <a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=2195318\">Azure DevOps Server 2020.1.2<\/a>. Once on 2020.1.2, install <a href=\"https:\/\/aka.ms\/devops2020.1.2patch8\">Azure DevOps Server 2020.1.2 Patch 8<\/a>.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/server\/release-notes\/azuredevops2020u1?view=azure-devops#azure-devops-server-2020-update-12-patch-8-release-date-september-12-2023\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33136\">CVE-2023-33136<\/a> \u2013 Azure DevOps Server Remote Code Execution Vulnerability. <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.<\/p>\n<\/blockquote>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.<\/li>\n<\/ul>\n<p><strong>Verifying Installation<\/strong><\/p>\n<ul>\n<li>Run <code>devops2020.1.2patch8.exe CheckInstall<\/code>, <code>devops2020.1.2patch8.exe<\/code> is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed. <\/li>\n<\/ul>\n<h3>Azure DevOps Server 2020.0.2 Patch 4<\/h3>\n<p>If you have Azure DevOps Server 2020.0.1, you should first update to <a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=2195301\">Azure DevOps Server 2020.0.2<\/a>. Once on Update 2020.0.2, install <a href=\"https:\/\/aka.ms\/devops2020.0.2patch4\">Azure DevOps Server 2020.0.2 Patch 4<\/a>.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/server\/release-notes\/azuredevops2020?view=azure-devops#azure-devops-server-2020-update-02-patch-4-release-date-september-12-2023\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33136\">CVE-2023-33136<\/a> \u2013 Azure DevOps Server Remote Code Execution Vulnerability. <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.<\/p>\n<\/blockquote>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.<\/li>\n<\/ul>\n<p><strong>Verifying Installation<\/strong><\/p>\n<ul>\n<li>Run <code>devops2020.0.2patch4.exe CheckInstall<\/code>, <code>devops2020.0.2patch4.exe<\/code> is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed. <\/li>\n<\/ul>\n<h3>Azure DevOps Server 2019.1.2 Patch 5<\/h3>\n<p>If you have Azure DevOps Server 2019.1.1, you should first update to <a href=\"https:\/\/go.microsoft.com\/fwlink\/?LinkId=2194890\">Azure DevOps Server 2019.1.2<\/a>. Once on Update 2019.1.2, install <a href=\"https:\/\/aka.ms\/devops2019.1.2patch5\">Azure DevOps Server 2019.1.2 Patch 5<\/a>.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/server\/release-notes\/azuredevops2019u1?view=azure-devops#azure-devops-server-2019-update-12-patch-5-release-date-september-12-2023\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33136\">CVE-2023-33136<\/a> \u2013 Azure DevOps Server Remote Code Execution Vulnerability. <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.<\/p>\n<\/blockquote>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.<\/li>\n<\/ul>\n<p><strong>Verifying Installation<\/strong><\/p>\n<ul>\n<li>Run <code>devops2019.1.2patch5.exe CheckInstall<\/code>, <code>devops2019.1.2patch5.exe<\/code> is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.<\/li>\n<\/ul>\n<h3>Azure DevOps Server 2019.0.1 Patch 15<\/h3>\n<p>If you have Azure DevOps Server 2019.0.1, you should install <a href=\"https:\/\/aka.ms\/devops2019.0.1patch15\">Azure DevOps Server 2019.0.1 Patch 15<\/a>.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/server\/release-notes\/azuredevops2019?view=azure-devops#azure-devops-server-201901-patch-15-release-date-september-12-2022\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-33136\">CVE-2023-33136<\/a> \u2013 Azure DevOps Server Remote Code Execution Vulnerability. <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.<\/p>\n<\/blockquote>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability.<\/li>\n<\/ul>\n<p><strong>Verifying Installation<\/strong><\/p>\n<ul>\n<li>Run <code>devops2019.0.1patch15.exe CheckInstall<\/code>, <code>devops2019.0.1patch15.exe<\/code> is the file that is downloaded from the link above. The output of the command will either say that the patch has been installed, or that it is not installed.<\/li>\n<\/ul>\n<h3>Team Foundation Server 2018.3.2 Patch 18<\/h3>\n<p>If you have Team Foundation Server 2018.3.2, you should install Team Foundation Server 2018.3.2 Patch 18.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/visualstudio\/releasenotes\/tfs2018-update3#-release-date-september-12-2023\"><strong>Release notes<\/strong><\/a><\/p>\n<ul>\n<li><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2023-38155\">CVE-2023-38155<\/a> \u2013 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability. <\/li>\n<\/ul>\n<blockquote>\n<p><strong>Note:<\/strong> To apply patches to address this vulnerability you will have to update the Azure Pipeline Agent. Please see the release notes for instructions.<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server. The following versions of the products have been patched. Check out the links for each version for more details. Azure DevOps Server 2022.0.1 Azure DevOps Server 2020.1.2 Azure DevOps Server 2020.0.2 Azure DevOps Server 2019.1.2 Azure DevOps Server 2019.0.1 Team Foundation [&hellip;]<\/p>\n","protected":false},"author":1006,"featured_media":54061,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[253,7256],"tags":[],"class_list":["post-67525","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-devops-server","category-patches"],"acf":[],"blog_post_summary":"<p>This month, we are releasing fixes that impact our self-hosted product, Azure DevOps Server. The following versions of the products have been patched. Check out the links for each version for more details. Azure DevOps Server 2022.0.1 Azure DevOps Server 2020.1.2 Azure DevOps Server 2020.0.2 Azure DevOps Server 2019.1.2 Azure DevOps Server 2019.0.1 Team Foundation [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/67525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/1006"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=67525"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/67525\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/54061"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=67525"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=67525"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=67525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}