Upgrade Azure.Idenntity to 1.12.0 For CVE (Azure#25318)

* Upgrade Azure.Identity for CVE

* Integrate new MSAL runtime to fix WAM popup window issue

* Update the reference of Authentication.csproj and ChangeLog.md

* Fix Azure.Core.AccessToken used before assigned issue

* Address review comments

* Update src/Accounts/Accounts/ChangeLog.md

Co-authored-by: Yeming Liu <[email protected]>

---------

Co-authored-by: Yeming Liu <[email protected]>

src/Accounts/Accounts/ChangeLog.md

@@ -19,6 +19,8 @@
 -->
 
 ## Upcoming Release
+* Fixed [CVE-2024-35255](https://github.com/advisories/GHSA-m5vv-6r4h-3vj9)
+* Updated `Microsoft.Identity.Client.NativeInterop` to fix the WAM pop window issue in elevated mode [#24967]
 * Updated the reference of Azure PowerShell Common to 1.3.98-preview.
 * Limited promotional message to interactive scenarios only
 

src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs

@@ -42,14 +42,14 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 // todo: add a tool to update assembly versions after replacing the assemblies. (Can it support newly introduced assemblies?)
                 // todo: consider moving the list to a standalone config file
                 #region AssemblyList
-                CreateAssembly("netstandard2.0", "Azure.Core", "1.38.0.0"),
-                CreateAssembly("netstandard2.0", "Azure.Identity", "1.11.2.0"),
+                CreateAssembly("netstandard2.0", "Azure.Core", "1.40.0.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity", "1.12.0.0"),
                 CreateAssembly("netstandard2.0", "Azure.Identity.Broker", "1.1.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Bcl.AsyncInterfaces", "1.0.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.60.3.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.60.3.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.60.3.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.16.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.61.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.61.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.61.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.16.2.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.35.0.0"),
                 CreateAssembly("netstandard2.0", "System.ClientModel", "1.0.0.0"),
                 CreateAssembly("netstandard2.0", "System.Memory.Data", "1.0.2.0"),

src/Accounts/Authentication/Authentication.csproj

@@ -12,11 +12,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.11.2" />
+    <PackageReference Include="Azure.Identity" Version="1.12.0" />
     <PackageReference Include="Azure.Identity.Broker" Version="1.1.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
-    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.60.3" />
-    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.60.3"/>
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.61.3"/>
   </ItemGroup>
 
   <ItemGroup>

src/CosmosDB/CosmosDB/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Fixed the issue that Azure.Core.AccessToken is used before assigned.
 
 ## Version 1.14.3
 * Removed the out-of-date breaking change message for `Get-AzCosmosDBAccountKey`.

src/CosmosDB/CosmosDB/Helpers/CosmosDBSessionCredential.cs

@@ -47,24 +47,28 @@ public CosmosDBSessionCredential(IAzureContext defaultContext, string endPointRe
 
         public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
-            this.accessToken.AuthorizeRequest((tokenType, tokenValue) =>
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
+            accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
 
-            return token;
+            return new AccessToken(token, expiresOn);
         }
 
         public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
-            this.accessToken.AuthorizeRequest((tokenType, tokenValue) =>
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
+            accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
 
-            return new ValueTask<AccessToken>(token);
+            return new ValueTask<AccessToken>(new AccessToken(token, expiresOn));
         }        
     }
 }

src/Storage/Storage.Management/ChangeLog.md

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed the issue that Azure.Core.AccessToken is used before assigned.
 * Supported TLS1_3 when creating and updating a storage account 
     - `New-AzStorageAccount`
     - `Set-AzStorageAccount`

src/Storage/Storage/Common/AzureSessionCredential.cs

@@ -1,12 +1,12 @@
-using System;
-using System.Collections.Generic;
-using System.Text;
-using System.Threading;
-using System.Threading.Tasks;
-using Azure.Core;
+using Azure.Core;
+
 using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
 namespace Microsoft.WindowsAzure.Commands.Storage.Common
 {
     public delegate void DebugLogWriter(string log);
@@ -51,33 +51,37 @@ public AzureSessionCredential(IAzureContext DefaultContext, DebugLogWriter logWr
 
         public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
             accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
 #if DEBUG 
             if (this.debugLogWriter != null)
             {
-                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetToken: " + token.Token);
+                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetToken: " + token);
             }
 #endif
-            return token;
+            return new AccessToken(token, expiresOn);
         }
 
         public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
             accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
 
             if (this.debugLogWriter != null)
             {
-                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetTokenAsync: " + token.Token);
+                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetTokenAsync: " + token);
             }
-            return new ValueTask<AccessToken>(token);
+            return new ValueTask<AccessToken>(new AccessToken(token, expiresOn));
         }
 
         private IAzureEnvironment EnsureStorageOAuthAudienceSet(IAzureEnvironment environment)

src/Synapse/Synapse/ChangeLog.md

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Fixed the issue that Azure.Core.AccessToken is used before assigned.
 
 ## Version 3.0.8
 * Upgraded `Microsoft.DataTransfer.Gateway.Encryption` to `5.29.8499.2`

src/Synapse/Synapse/Common/AzureSessionCredential.cs

@@ -12,16 +12,16 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
-using System;
-using System.Collections.Generic;
-using System.Text;
-using System.Threading;
-using System.Threading.Tasks;
 using Azure.Core;
+
 using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.ResourceManager.Common.Properties;
 
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+
 namespace Microsoft.Azure.Commands.Synapse.Common
 {
     public delegate void DebugLogWriter(string log);
@@ -51,31 +51,36 @@ public AzureSessionCredential(IAzureContext DefaultContext, DebugLogWriter logWr
 
         public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
             accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
+
             if (this.debugLogWriter != null)
             {
-                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetToken: " + token.Token);
+                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetToken: " + token);
             }
-            return token;
+            return new AccessToken(token, expiresOn);
         }
 
         public override ValueTask<AccessToken> GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
         {
-            AccessToken token;
+            DateTimeOffset expiresOn;
+            string token = string.Empty;
             accessToken.AuthorizeRequest((tokenType, tokenValue) =>
             {
-                token = new AccessToken(tokenValue, DateTimeOffset.UtcNow);
+                token = tokenValue;
+                expiresOn = DateTimeOffset.UtcNow;
             });
 
             if (this.debugLogWriter != null)
             {
-                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetTokenAsync: " + token.Token);
+                this.debugLogWriter("[" + DateTime.Now.ToString() + "] GetTokenAsync: " + token);
             }
-            return new ValueTask<AccessToken>(token);
+            return new ValueTask<AccessToken>(new AccessToken(token, expiresOn));
         }
 
         private IAccessToken accessToken;

tools/Common.Netcore.Dependencies.targets

@@ -22,7 +22,7 @@
     <PackageReference Include="Microsoft.CSharp" Version="4.7.0" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Azure.Core" Version="1.38.0"/>
+    <PackageReference Include="Azure.Core" Version="1.40.0"/>
   </ItemGroup>
   <ItemGroup Condition="'$(IsTestProject)' != 'true'">
     <PackageReference Include="Microsoft.ApplicationInsights" Version="2.18.0">