CM – Microsoft warns customers of a critical vulnerability in Azure Cosmos DB

0

InfoQ Live September 21: Container security and observability in Kubernetes environments.

to register

Promote the diffusion of knowledge and innovation in professional software development

The Excel team announced LAMBDA, a new feature that allows users to define and name formula functions. LAMBDA functions allow parameters, can call other LAMBDA functions and call themselves recursively.
With LAMBDA, the Excel formula language is Turing-complete: User-defined functions can calculate everything without having to resort to imperative languages ​​(e.g. VBA, JavaScript).

Silvia Esparrachiari tells stories about how a small change can be made can affect a system and discusses the importance of having a comprehensive view of a system in order to better understand how a change can affect a system. She presents three different scenarios that have changed in relation to dependency management in a microservices environment, all based on situations she experienced while working at Google.

On the podcast, we speak to Dr. Francesca Lazzeri on machine learning for time series forecasting as the main topic, automated machine learning and deep learning for time series data forecasting, and other emerging trends in machine learning development and operation, including data, encompassed life cycle of science.

You may have I’ve heard of coaching and wondered what it entails and how you can integrate it into your role. Do you need “coach” as part of your job description in order to use coaching skills? This article defines coaching and shows how everyone can use it in their role. It also shows how coaching can be integrated into management and technical leadership roles.

Ana Margarita Medina tells how she uses chaos engineering and how it can be used to decouple the weak points of our system and to learn from incidents and improve monitoring and observability.

Learn how to use containerized applications to improve application speed, reliability, and deployment. Virtual Event on September 21, 9:00 AM EDT / 3:00 PM CEST

Learn how to use microservices and DevSecOps to improve application security and & deployment speed. Virtual event on October 19, 9:00 AM EDT / 3:00 PM CEST

InfoQ home page

news

Microsoft warns customers of a critical vulnerability in Azure Cosmos DB

Steef-Jan Wiggers

Azure Cosmos DB is a globally distributed and fully managed NoSQL database service. Microsoft recently warned thousands of its Cosmos DB customers about a vulnerability that exposes their data. A failure in service could grant a malicious actor access keys to steal, edit, or delete sensitive data.

A team of researchers at Tel Aviv-based Wiz.io discovered the vulnerability, named it ChaosDB, and gave it to the top of this one Month Microsoft known. You could use Cosmos DB through the Jupyter Notebook feature, which was added to Cosmos DB back in 2019. This feature enables Cosmos DB customers to visualize their data and create custom views.

Microsoft enabled the Juypter Notebook feature by default for all Cosmos DB instances in February of this year. According to a recently published blog post by Wiz.io, the researcher could find misconfigurations in the function and exploit them: In short, the notebook container enabled privileges to be escalated to other customer notebooks. As a result, an attacker could gain access to the Cosmos DB primary keys and other highly sensitive secrets like the notebook blob storage access token.

An attacker could use the access keys for full administrative access to all data stored in the affected Cosmos DB accounts are stored. In addition, the attacker can control the customer’s Cosmos DB directly from the Internet with full read / write / delete permissions.

Wiz.io notified the Microsoft security team of the exploit, which immediately took action to make it functional deactivate. In addition, the company has emailed all affected customers to change their access. In a recent blog post by the Microsoft Security Center about the vulnerability, the security team said:

Our investigation has shown that no customer data was accessed by third parties or security researchers due to this vulnerability. We have notified customers whose keys may have been compromised during the research activity to regenerate their keys.

Since the vulnerability has been exploitable for months, more Cosmos DB customers are at risk than Microsoft, according to the Wiz blog post reported. In addition, several media channels have picked up on the vulnerability story and the discussions on social media are lively.

Aside from this specific mistake, the way all cloud providers try to network their service offerings makes me more and more nervous. It’s too easy to accidentally issue overly revealing IAM policies without realizing it.

This type of cross-tenant attack on Azure’s Cosmos DB is a great example of why you have client-side, app-level encryption in your services want your data stores primarily to store ciphertext of sensitive data.

Finally, the US Cybersecurity and Infrastructure Security Agency (CISA) published a report in January 2021 to warn companies using cloud services:

Threat actors use phishing and other vectors to exploit poor cyber hygiene practices within a victim’s cloud service configuration.

The security flaw in Cosmos DB is another example of how exactly the exploit threat is still is.

Protect identities. Secure digital services Enable highly scalable and secure user access to web and mobile applications. Try it for free.

A summary of the last week’s content on InfoQ, which is sent out every Tuesday. Join a community of over 250,000 senior developers.

See example

You must register an InfoQ account or sign in or sign in to write comments. But there’s so much more to the registration.

A summary of the last week’s content on InfoQ, which is sent out every Tuesday. Join a community of over 250,000 senior developers.

See example

Concentrate on the topics that are particularly important in software development.

Immerse yourself in 64 world-class software guides. Discover how they apply emerging trends. Get to know their use cases and best practices.

Stay ahead of the acceptance curve and design your roadmap with the QCon Plus online software development conference.

InfoQ.com and all content is Copyright © 2006-2021 C4Media Inc. InfoQ.com is hosted by Contegix, the best ISP we have ever worked with. Privacy Policy, Terms and Conditions, Cookie Policy

Keywords:

Microsoft Corporation,Microsoft Azure,Cosmos DB,Cloud computing,Database,Vulnerability,Computer security,Microsoft Corporation, Microsoft Azure, Cosmos DB, Cloud computing, Database, Vulnerability, Computer security,,,,,,

Donnez votre avis et abonnez-vous pour plus d’infos

[gs-fb-comments]

[comment]

[supsystic-newsletter-form id=4]

Vidéo du jour: