What you need to know
- A vulnerability in Azure Cosmos DB meant that attackers could illegitimately secure admin rights to access user data.
- Microsoft and CISA have offered guidance on how to proceed.
Toward the end of August, an Azure vulnerability was exposed — one that may have existed for months, if not entire years. Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have addressed the issue (via Reuters).
In a Microsoft Security Response Center blog post, the company not only outlined the situation but also gave advisement on how to ensure safety going forward:
This vulnerability only affects a subset of customers who had the Jupyter Notebook feature enabled. Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.
CISA said the same, advising that customers regenerate certificate keys to remain protected. CISA also recommended taking a look at an Azure Cosmos DB security doc from Microsoft.
Microsoft claimed no data had been compromised as a result of the aforementioned vulnerability but still sent out notifications to potentially affected parties. The company also paid out $40,000 to the group that discovered the vulnerability.
If you want to know how much that's worth on the scale Microsoft uses to pay out vulnerability catchers, check out how much the company has paid out to bug hunters since July 2020. You'll notice that number, $40,000, is a lot smaller than the most one might get for discovering a vulnerability with Windows 11, though even the maximum figure for Windows 11 may not be as big as you expect.
