Summary
As part of a security review, we determined that a Microsoft-held private key, used in support of unlocking the Azure Stack Hub privileged endpoint for the Azure Stack Hub 2005 build, was not properly secured. Further investigation found no evidence of misuse of the private key. Out of an abundance of caution, Microsoft is providing this hotfix to rotate the public key used for this privileged endpoint support unlock sequence.
To use this private key, the following conditions must be met:
-
You must have cloud administrator credentials for the Azure Stack Hub Appliance.
-
You must have network connectivity to the Azure Stack Hub Privileged Endpoint IP addresses. Note that these IP addresses are on the isolated infrastructure network. In a standard deployment, these addresses would not be leveraging internet-routable IP addresses, making the endpoints only accessible from your internal/management network.
-
You must use the private key to process the challenge response support token and use that to unlock the privileged endpoint. This is similar to a support scenario engaged directly with Microsoft, as described in the Azure Stack Hub article Using the privileged endpoint in Azure Stack Hub.
This hotfix rotates the public key used to unlock the Azure Stack Hub privileged endpoint for Azure Stack Hub 2005 and includes all previous 2005 hotfixes. We strongly recommend installing this hotfix as soon as possible.
-
Fixed an issue that erroneously raises an alert: “Node inaccessible for VM Placement."
-
Removed invalid repair interface for seedringservices.
-
Improved SDN network reliability on the physical nodes.
-
Disabled winrrm runner.
Fixes rolled up from previous hotfix releases
-
Fixed a bug check and enforced external key protectors on cluster shared volumes.
-
Fixed an issue in which a storage account might be partially restored due to a KVS race condition in the SRP background usage job.
-
Fixed an issue in which a virtual subnet was not being cleaned up if the tunnel was moved to a different GW VM and then the VGW was deleted.
-
Fixed an issue that could cause registration and internal secret rotation to fail.
-
Fixed an issue in the internal secret rotation, which might cause a failure in the next update.
-
Added memory specific settings to crash dump settings.
-
Restarted SQL VMs to mitigate potential issue with database access which affects access to portal.
-
Remediated SMB handle invalidation issue triggered by ESENT error 59 event in TableServer.
-
Included AzsInfraRoleSummary Test-Azurestack test as UpdateReadiness.
-
Remediated ERCS memory pressure during patch & update.
-
Include deployment provider identity certificate into the internal secret rotation.
-
Improved Network Controller stability.
-
Increased Network Controller log retention to aid in diagnosis.
-
Added Get-NetView as a part of Get-AzureStackLog collection by default.
-
Fixed an issue where marketplace downloads could fail due to a certificate validation error.
-
Improved HealthAgent binary switchover logic.
-
Improved cluster shared volumes re-balance after Patch & Update (PnU).
-
Used ADSI to fetch localgroup members in HealthAgent.
-
Added the missing records, when WASP VMs fail to synchronize records and zones by using DNS cmdlet during scale in and scale out.
-
Improved storage service reliability during PnU.
-
Removed public IP quota validation which caused an issue when creating an internal load balancer.
-
Improved reliability of VM deletion: ensure new VMs that could not be fully created or added to the cluster are deleted.
-
Check and enforce key protectors on cluster shared volumes.
-
Fixed "access denied" issue causing update and admin operations to fail.
-
Fixed WhsFaultScanner to re-launch when it gets stuck to make sure alerts are correctly generated for users.
-
Fixed orchestration bug that prevented storage regeneration telemetry events from being emitted.
-
Fixed an issue which impacted the reliability of downloading subsequent updates.
-
Improved ability to diagnose failures based on orchestrator telemetry.
-
Fixed SRP race condition in moving system storage accounts to system internal subscription during 2005 PnU.
-
Fixed time unit scaling error in the server latency metrics
-
Restarted SQL VMs to mitigate potential issue with database access which affects access to portal.
-
Fixed an issue in which the configuration of the retention period for deleted storage accounts was reverted.
-
Improved reliability of storage blob and table service.
-
Addressed issue in the Send-AzureStackDiagnosticLog PEP cmdlet.
-
Increased the HRP repair time when an update failure occurs.
Hotfix information
To apply this hotfix, you must have version 1.2005.6.53 or later.
2005 update, make sure that you refer to the update activity checklist on running Test-AzureStack (with specified parameters), and resolve any operational issues that are found, including all warnings and failures. Also, review active alerts and resolve any that require action.
Important As outlined in the release notes for theFile information
Download the following files. Then, follow the instructions on the Apply updates in Azure Stack page on the Microsoft Learn website to apply this update to Azure Stack.
More information
Azure Stack Hub update resources
Manage updates in Azure Stack overview
Monitor updates in Azure Stack by using the privileged endpoint