CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
23.6%
A security vulnerability exists in Update Rollup 13 for Windows Azure Pack (WAP) that causes script injection of certain symbols to bypass portal UI restrictions. The portal UI restricts certain symbols such as greater than ( < ) and less than ( > ) symbols that are needed for “<script>” injection.By replaying a request in Fiddler, strings that contain characters such as < and**>can be sent as the subscription name. TheSubscriptionNamefield can be set to any string up to 128 characters. In this scenario, you can load and run various scripts such as<script src=“https://code.jquery.com/jquery-1.10.2.min.js”>or<script>alert(document.cookie)</script>**.To learn more about this vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2018-8652.
Update packages for Windows Azure Pack are available from Microsoft Update or by manual download.
This security update is available through Windows Update. When you turn on automatic updating, this security update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.
Go to the following website to manually download the security update package from the Microsoft Update Catalog:Download the Windows Azure Pack security update package now.
__
Installation instructions
These installation instructions are for the following Windows Azure Pack components:
Notes
* If you're using virtual machines, take snapshots of their current state.
* If you're not using virtual machines, back up each MgmtSvc-* folder in the Inetpub directory on each computer that has a WAP component installed.
* Collect information and files that are related to your certificates, host headers, and any port changes.
1. If you're using the original self-signed certificates that were installed by WAP, the update operation will replace them. You have to export the new certificate and import it to the other nodes that are under load balancing. These certificates have a CN=MgmtSvc-* (self-signed) naming pattern.
2. Update Resource Provider (RP) services (SQL Server, My SQL, SPF/VMM, websites) as necessary. And make sure that the RP sites are running.
3. Update the Tenant API site, Public Tenant API, Administrator API nodes, and Administrator and Tenant Authentication sites.
4. Update the Administrator and Tenant sites.
The scripts to obtain database versions and update databases that are installed by the MgmtSvc-PowerShellAPI.msi are stored in the following location:C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Database
If all components are updated and functioning as expected, you can open the traffic to your updated nodes. Otherwise, see the “Rollback instructions” section.
Note If you’re updating from an update rollup that is the same as or earlier than Update Rollup 5 for Windows Azure Pack, follow these instructions to update the WAP database.
__
Rollback instructions
If a problem occurs and you determine that a rollback is necessary, follow these steps:
Note Don’t leave the system in a partly updated state. Perform rollback operations on all computers on which Windows Azure Pack was installed, even if the update failed on only one node.
We recommend that you run the Windows Azure Pack Best Practice Analyzer on each Windows Azure Pack node to make sure that configuration items are correct.
3. Open the traffic to your restored nodes.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
23.6%