Security
Headlines
HeadlinesLatestCVEs

Headline

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk

Summary Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1).

msrc-blog
#xss#vulnerability#web#microsoft

Summary Summary

Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1). The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1).

At this time, Microsoft is not aware of any exploitation or abuse of this vulnerability. To remain secure, we recommend all Service Fabric customers upgrade to the most recent SFX version and refrain from manually switching to the older, vulnerable SFXv1 web client version. An upcoming release of SF will remove SFXv1 and the option to switch to it.

We thank Orca Security for informing us of this vulnerability and working with us under Coordinated Vulnerability Disclosure to help protect our customers.

Additional References Additional References

  • Visit the Security Update Guide for information on CVE- 2022-35829.
  • Azure Service Fabric Product Blog
  • Instructions for upgrading and updating Azure Service Fabric clusters.
  • Questions? Open a support case through the Azure Portal at aka.ms/azsupt.

Related news

Researchers Detail Severe "Super FabriXss" Vulnerability in Microsoft Azure SFX

Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability

Researchers Detail Azure SFX Flaw That Could've Allowed Attackers to Gain Admin Access

Cybersecurity researchers have shared more details about a now-patched security flaw in Azure Service Fabric Explorer (SFX) that could potentially enable an attacker to gain administrator privileges on the cluster. The vulnerability, tracked as CVE-2022-35829, carries a CVSS severity rating of 6.2 and was addressed by Microsoft as part of its Patch Tuesday updates last week. Orca

Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk

Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web … Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk Read More »

CVE-2022-35829

Service Fabric Explorer Spoofing Vulnerability.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default