The update that this article describes has been replaced by a newer update rollup. We recommend that you install the most current update. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
The pre-9.1 versions of WAP include a version of ZeroClipboard (v 1.1.7) that is vulnerable to cross-site scripting (XSS). Security Update Rollup 9.1 for WAP includes updated ZeroClipboard version 1.3.5, which resolves this vulnerability. You can find details about it here.
Impact ZeroClipboard is found in the Admin and Tenant portals, and in the Tenant Authentication service. This vulnerability can be exploited on all these services. A service provider will usually keep the Admin portal inaccessible by tenants, but the Tenant portal and the Tenant Auth service are typically made available to tenants. Be aware that the Tenant Auth service isn't supported in production deployments. If an attack is successful, the adversary can run anything that a WAP administrator or tenant user can run in the application. The adversary could also build upon this bug and attack the browser or workstation of the victim, or create or access tenant resources (such as virtual machines or SQL Server). Because the federated authentication server is also vulnerable, other attack options might also be available.
Issue 2 - Tenant Public API service vulnerability
In the pre-9.1 versions of WAP, an active tenant attacker can upload a certificate through the Public Tenant API service and associate it with a target tenant's subscription ID. This lets the attacker gain access to the target tenant resources. Update Rollup 9.1 blocks such an attack.
Impact An adversary can use this to access the WAP tenant Public API service. However, in order to do so, the attacker must know the subscriptionId of the victim. There's at least one possible scenario for an adversary to gain access to the subscriptionId. The application lets administrators create co-admins. When someone signs in as co-admin, they get to know the subscriptionId. If this co-admin is later removed, they can perform the attack.
These installation instructions are for the following Windows Azure Pack components:
Tenant Public API
Web Application Gallery
Best Practices Analyzer
To install the update .msi files for each Windows Azure Pack (WAP) component, follow these steps:
If the system is currently operational (handling customer traffic), schedule downtime for the Azure Pack servers. The Windows Azure Pack currently doesn't support rolling upgrades.
Stop or redirect customer traffic to sites that you consider satisfactory.
Create backup images of the web servers and the SQL Server databases.
If you are using virtual machines, take snapshots of their current state.
If you aren't using VMs, take a backup of each MgmtSvc-* folder in the Inetpub directory on each computer that has a WAP component installed.
Collect information and files that are related to your certificates, host headers, and any port changes.
If you are using your own theme for the Windows Azure Pack Tenant site, follow these instructions to preserve your theme changes before you run the update.
Run the update by running each .msi file on the computer on which the corresponding component is running. For example, run the MgmtSvc-AdminAPI.msi on the computer that's running "MgmtSvc-AdminAPI" site in Internet Information Services (IIS).
For each node under Load Balancing, run the updates for components in the following order:
If you are using the original self-signed certificates that are installed by WAP, the update operation replaces them. You have to export the new certificate and import to the other nodes under Load Balancing. These certificates have a CN=MgmtSvc-* (Self-Signed) naming pattern.
Update Resource Provider (RP) services (SQL Server, My SQL, SPF/VMM, websites) as necessary. Make sure that the RP sites are running.
Update the Tenant API site, Public Tenant API, Administrator API nodes, and Administrator and Tenant authentication sites.
Update the Administrator and Tenant sites.
Scripts to get database versions and update databases installed by the MgmtSvc-PowerShellAPI.msi are stored in the following location: