Advisory No: TZCERT/SA/2021/08/31
Date of First Release: 31st August 2021
Source: Microsoft
Software Affected:
- Azure Cosmos DB
Overview:
The vulnerability exists in the Azure Cosmos DB Jupyter Notebook feature. The exploitation of this vulnerability could allow a user to gain access to another customer’s resources by using the account’s primary read-write key.
Description:
The vulnerability is caused by a series of flaws in a Cosmos DB feature creating a loophole that allows any user to download, delete or manipulate a massive collection of commercial databases and read-write access to the underlying architecture of the Cosmos DB.
Impact:
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
Solution:
Microsoft has fixed the flaw and issued a workaround that requires customers to regenerate their primary read-write keys. Users and administrators are advised to follow the steps described in this technical documentation.
References: