The update that this article describes has been replaced by a newer update rollup. We recommend that you install the most current update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
3158609 Update Rollup 10 for Windows Azure Pack
This article describes the security issues that are fixed in Update Rollup 9.1 for Windows Azure Pack (file version 3.32.8196.12). It also contains the installation instructions for the rollup.
Issue 1 - ZeroClipboard cross-site scripting vulnerabilityThe pre-9.1 versions of WAP include a version of ZeroClipboard (v 1.1.7) that is vulnerable to cross-site scripting (XSS). Security Update Rollup 9.1 for WAP includes updated ZeroClipboard version 1.3.5, which resolves this vulnerability. You can find details about it here.
Impact ZeroClipboard is found in the Admin and Tenant portals, and in the Tenant Authentication service. This vulnerability can be exploited on all these services. A service provider will usually keep the Admin portal inaccessible by tenants, but the Tenant portal and the Tenant Auth service are typically made available to tenants. Be aware that the Tenant Auth service isn't supported in production deployments. If an attack is successful, the adversary can run anything that a WAP administrator or tenant user can run in the application. The adversary could also build upon this bug and attack the browser or workstation of the victim, or create or access tenant resources (such as virtual machines or SQL Server). Because the federated authentication server is also vulnerable, other attack options might also be available.
Issue 2 - Tenant Public API service vulnerabilityIn the pre-9.1 versions of WAP, an active tenant attacker can upload a certificate through the Public Tenant API service and associate it with a target tenant's subscription ID. This lets the attacker gain access to the target tenant resources. Update Rollup 9.1 blocks such an attack.
Impact An adversary can use this to access the WAP tenant Public API service. However, in order to do so, the attacker must know the subscriptionId of the victim. There's at least one possible scenario for an adversary to gain access to the subscriptionId. The application lets administrators create co-admins. When someone signs in as co-admin, they get to know the subscriptionId. If this co-admin is later removed, they can perform the attack.
Download instructionsUpdate packages for Windows Azure Pack are available from Microsoft Update or by manual download.
Microsoft UpdateTo obtain and install an update package from Microsoft Update, follow these steps on a computer that has an applicable component installed:
- Click Start, and then click Control Panel.
- In Control Panel, double-click Windows Update.
- In the Windows Update window, click Check Online for updates from Microsoft Update.
- Click Important updates are available.
- Select the Update Rollup packages that you want to install, and then click OK.
- Select Install updates to install the selected update packages.
Manual download of the update packagesGo to the following website to manually download the update packages from the Microsoft Update Catalog:
Article ID: 3146301 - Last Review: Jun 22, 2016 - Revision: 1
Microsoft System Center 2012 R2, Windows Azure Pack (on Windows Server 2012 R2)