Microsoft, CISA provide Azure Cosmos DB guidance in wake of vulnerability
Azure customers should make sure they're not vulnerable.
What you need to know
- A vulnerability in Azure Cosmos DB meant that attackers could illegitimately secure admin rights to access user data.
- Microsoft and CISA have offered guidance on how to proceed.
Toward the end of August, an Azure vulnerability was exposed — one that may have existed for months, if not entire years. Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have addressed the issue (via Reuters).
In a Microsoft Security Response Center blog post (opens in new tab), the company not only outlined the situation but also gave advisement on how to ensure safety going forward:
CISA said the same, advising that customers regenerate certificate keys to remain protected. CISA also recommended taking a look at an Azure Cosmos DB security doc (opens in new tab) from Microsoft.
Microsoft claimed no data had been compromised as a result of the aforementioned vulnerability but still sent out notifications to potentially affected parties. The company also paid out $40,000 to the group that discovered the vulnerability.
If you want to know how much that's worth on the scale Microsoft uses to pay out vulnerability catchers, check out how much the company has paid out to bug hunters since July 2020. You'll notice that number, $40,000, is a lot smaller than the most one might get for discovering a vulnerability with Windows 11, though even the maximum figure for Windows 11 may not be as big as you expect.
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to email@example.com.