Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk

Summary

Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web client version (SFXv1). The issue requires an attacker to already have code deployment and execution privileges in the Service Fabric cluster and for the target to use the vulnerable web client (SFXv1). 

At this time, Microsoft is not aware of any exploitation or abuse of this vulnerability. To remain secure, we recommend all Service Fabric customers upgrade to the most recent SFX version and refrain from manually switching to the older, vulnerable SFXv1 web client version. An upcoming release of SF will remove SFXv1 and the option to switch to it. 

We thank Orca Security for informing us of this vulnerability and working with us under Coordinated Vulnerability Disclosure to help protect our customers.  

Additional References