Headline
Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk
Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web … Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk Read More »
Summary
Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1). The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1).
At this time, Microsoft is not aware of any exploitation or abuse of this vulnerability. To remain secure, we recommend all Service Fabric customers upgrade to the most recent SFX version and refrain from manually switching to the older, vulnerable SFXv1 web client version. An upcoming release of SF will remove SFXv1 and the option to switch to it.
We thank Orca Security for informing us of this vulnerability and working with us under Coordinated Vulnerability Disclosure to help protect our customers.
Additional References
- Visit the Security Update Guide for information on CVE- 2022-35829.
- Azure Service Fabric Product Blog
- Instructions for upgrading and updating Azure Service Fabric clusters.
- Questions? Open a support case through the Azure Portal at aka.ms/azsupt.
Related news
Details have emerged about a now-patched vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "The Super FabriXss vulnerability
Cybersecurity researchers have shared more details about a now-patched security flaw in Azure Service Fabric Explorer (SFX) that could potentially enable an attacker to gain administrator privileges on the cluster. The vulnerability, tracked as CVE-2022-35829, carries a CVSS severity rating of 6.2 and was addressed by Microsoft as part of its Patch Tuesday updates last week. Orca
Summary Summary Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1).