CVE-2022-35829

FAQ

According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?

An attacker needs to have CreateComposeDeployment permission to exploit this vulnerability. Please refer to the Security/ClientAccess section of Customize Service Fabric cluster settings for more information on the permission.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

The vulnerability is in the web client, but the malicious scripts executed in the victim’s browser translate into actions executed in the (remote) cluster.

How can I ensure I am not on a vulnerable version of Service Fabric Explorer?

A vulnerable version of Service Fabric Explorer (SFXv1) has the URL that ends in "old.html". If you are on an unsupported version of Service Fabric Runtime (8.1.316 and below), you will be vulnerable. Please update to a supported version of Service Fabric Runtime. See Service Fabric supported versions for the list of all supported versions of the runtime. On supported versions of the Service Fabric Runtime, the Service Fabric Explorer version (SFXv2) which is loaded by default is not affected by this vulnerability. On supported SF runtime versions, you can verify you are using SFXv2 by checking that the URL of Service Fabric Explorer ends in "index.html".

How can I update my Service Fabric Cluster to the latest version?

Please refer to Manage Service Fabric cluster upgrades for instructions on how to update your Service Fabric Cluster.

If I am on a supported version of Service Fabric Runtime, how can I switch to the latest version of Service Fabric Explorer (SFXv2)?

SFXv2 is loaded by default on all supported versions of Service Fabric. You can navigate to SFXv2 by making sure the Service Fabric Explorer URL ends in "index.html". An example of a vulnerable URL would be https://<your instance name>.cloudapp.azure.com:19080/Explorer/old.html#/.

You can navigate to any of the following URLs to switch to SFXv2:

• https://<your instance name>.cloudapp.azure.com:19080/Explorer/index.html#/
• https://<your instance name>.cloudapp.azure.com:19080/Explorer/
• https://<your instance name>.cloudapp.azure.com:19080/

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

A victim user would have to click the stored XSS payload injected by the attacker to be compromised.