The update that this article describes has been replaced by a newer update rollup. We recommend that you install the most current update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
3158609 Update Rollup 10 for Windows Azure Pack
Summary
This article describes the security issues that are fixed in Update Rollup 9.1 for Windows Azure Pack (file version 3.32.8196.12). It also contains the installation instructions for the rollup.
Issues that are fixed in this update rollup
Issue 1 - ZeroClipboard cross-site scripting vulnerability
The pre-9.1 versions of WAP include a version of ZeroClipboard (v 1.1.7) that is vulnerable to cross-site scripting (XSS). Security Update Rollup 9.1 for WAP includes updated ZeroClipboard version 1.3.5, which resolves this vulnerability. You can find details about it here.
Impact ZeroClipboard is found in the Admin and Tenant portals, and in the Tenant Authentication service. This vulnerability can be exploited on all these services. A service provider will usually keep the Admin portal inaccessible by tenants, but the Tenant portal and the Tenant Auth service are typically made available to tenants. Be aware that the Tenant Auth service isn't supported in production deployments. If an attack is successful, the adversary can run anything that a WAP administrator or tenant user can run in the application. The adversary could also build upon this bug and attack the browser or workstation of the victim, or create or access tenant resources (such as virtual machines or SQL Server). Because the federated authentication server is also vulnerable, other attack options might also be available.
Issue 2 - Tenant Public API service vulnerability
In the pre-9.1 versions of WAP, an active tenant attacker can upload a certificate through the Public Tenant API service and associate it with a target tenant's subscription ID. This lets the attacker gain access to the target tenant resources. Update Rollup 9.1 blocks such an attack.
Impact An adversary can use this to access the WAP tenant Public API service. However, in order to do so, the attacker must know the subscriptionId of the victim. There's at least one possible scenario for an adversary to gain access to the subscriptionId. The application lets administrators create co-admins. When someone signs in as co-admin, they get to know the subscriptionId. If this co-admin is later removed, they can perform the attack.
These installation instructions are for the following Windows Azure Pack components:
-
Tenant site
-
Tenant API
-
Tenant Public API
-
Administration site
-
Administration API
-
Authentication
-
Windows Authentication
-
Usage
-
Monitoring
-
Microsoft SQL
-
MySQL
-
Web Application Gallery
-
Configuration site
-
Best Practices Analyzer
-
PowerShell API
To install the update .msi files for each Windows Azure Pack (WAP) component, follow these steps:
-
If the system is currently operational (handling customer traffic), schedule downtime for the Azure Pack servers. The Windows Azure Pack currently doesn't support rolling upgrades.
-
Stop or redirect customer traffic to sites that you consider satisfactory.
-
Create backup images of the web servers and the SQL Server databases.
Notes-
If you are using virtual machines, take snapshots of their current state.
-
If you aren't using VMs, take a backup of each MgmtSvc-* folder in the Inetpub directory on each computer that has a WAP component installed.
-
Collect information and files that are related to your certificates, host headers, and any port changes.
-
-
If you are using your own theme for the Windows Azure Pack Tenant site, follow these instructions to preserve your theme changes before you run the update.
-
Run the update by running each .msi file on the computer on which the corresponding component is running. For example, run the MgmtSvc-AdminAPI.msi on the computer that's running "MgmtSvc-AdminAPI" site in Internet Information Services (IIS).
-
For each node under Load Balancing, run the updates for components in the following order:
-
If you are using the original self-signed certificates that are installed by WAP, the update operation replaces them. You have to export the new certificate and import to the other nodes under Load Balancing. These certificates have a CN=MgmtSvc-* (Self-Signed) naming pattern.
-
Update Resource Provider (RP) services (SQL Server, My SQL, SPF/VMM, websites) as necessary. Make sure that the RP sites are running.
-
Update the Tenant API site, Public Tenant API, Administrator API nodes, and Administrator and Tenant authentication sites.
-
Update the Administrator and Tenant sites.
-
-
Scripts to get database versions and update databases installed by the MgmtSvc-PowerShellAPI.msi are stored in the following location:
C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Database
-
If all components are updated and functioning as expected, you can open the traffic to your updated nodes. Otherwise, see the "Rollback instructions" section.
Note If you are updating from an update rollup that's equal to or older than Update Rollup 5 for Windows Azure Pack, follow these instructions to update the WAP database.
If an issue occurs and you verify that a rollback is necessary, follow these steps:
-
If snapshots are available from the second note in step 3 in the "Installation instructions" section, apply the snapshots. If there are no snapshots, go to the next step.
-
Use the backup that was taken in the first and third note in step 3 in the "Installation instructions" section to restore your databases and computers.
Note Do not leave the system in a partly updated state. Perform rollback operations on all computers on which Windows Azure Pack was installed, even if the update failed on one node.
Recommended Run the Windows Azure Pack Best Practice Analyzer on each Windows Azure Pack node to make sure that configuration items are correct. -
Open the traffic to your restored nodes.
Download instructionsUpdate packages for Windows Azure Pack are available from Microsoft Update or by manual download.
Microsoft UpdateTo obtain and install an update package from Microsoft Update, follow these steps on a computer that has an applicable component installed:
-
Click Start, and then click Control Panel.
-
In Control Panel, double-click Windows Update.
-
In the Windows Update window, click Check Online for updates from Microsoft Update.
-
Click Important updates are available.
-
Select the Update Rollup packages that you want to install, and then click OK.
-
Select Install updates to install the selected update packages.
Manual download of the update packagesGo to the following website to manually download the update packages from the Microsoft Update Catalog:
|
Files that are changed |
Version |
|---|---|
|
MgmtSvc-SQLServer.msi |
3.32.8196.12 |
|
MgmtSvc-TenantAPI.msi |
3.32.8196.12 |
|
MgmtSvc-TenantPublicAPI.msi |
3.32.8196.12 |
|
MgmtSvc-TenantSite.msi |
3.32.8196.12 |
|
MgmtSvc-Usage.msi |
3.32.8196.12 |
|
MgmtSvc-WebAppGallery.msi |
3.32.8196.12 |
|
MgmtSvc-WindowsAuthSite.msi |
3.32.8196.12 |
|
MgmtSvc-AdminAPI.msi |
3.32.8196.12 |
|
MgmtSvc-AdminSite.msi |
3.32.8196.12 |
|
MgmtSvc-AuthSite.msi |
3.32.8196.12 |
|
MgmtSvc-Bpa.msi |
3.32.8196.12 |
|
MgmtSvc-ConfigSite.msi |
3.32.8196.12 |
|
MgmtSvc-Monitoring.msi |
3.32.8196.12 |
|
MgmtSvc-MySQL.msi |
3.32.8196.12 |
|
MgmtSvc-PowerShellAPI.msi |
3.32.8196.12 |
