Microsoft Azure Cosmos DB Vulnerability Exploit
August 27th, 2021 2021
August 28, 2021 Update:
Microsoft Security Response Center has provided an official statement regarding this vulnerability.
Please follow this link: https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/
On August 26th, Reuters published a story in which they stated that Microsoft had contacted its customers to alert them to a potential vulnerability in Azure Cosmos DB, specifically a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB.
We wish to assure our customers that Archive360 does not utilize Microsoft’s Jupyter Notebook feature, and our products and services do not leverage the affected feature. We understand that once the vulnerability was reported, Microsoft took immediate action to mitigate the vulnerability and disabled the Jupyter Notebook feature worldwide so the vulnerability may not be further exploited.
At the time of writing this statement, Microsoft has not issued any statements. However, we have confirmed with our Microsoft contacts that affected customers have been notified. If customers have not received a notification, their account was most likely not impacted. If they have diagnostic logs enabled on their account, they can review those logs for unusual IP addresses. They can also create support tickets referencing Tracking ID: GSGD-RTG.
Archive360 has immediately taken preventative steps and conducted a threat analysis. We can confirm that:
- Archive360 does not use the Jupyter Notebook implementation provided by Azure Cosmos DB. In fact, it should be disabled.
- This vulnerability requires the use of the Jupyter Notebook implementation provided by Azure Cosmos DB, and requires an actor to compromise multiple layers before it may access data in Cosmos DB:
Some customers may have already observed activity in their system, as we have rotated keys contemporaneously with our notifications today.
Out of an abundance of caution and consistent with Microsoft’s recommendation, Archive360 is rotating all Azure Cosmos DB keys for all customers as follows:
- Customers that are currently subscribed to AdminAssist, need do nothing. Archive360 will manage key rotation and a notification will go to the customer once the rotation has been completed.
- Customers without AdminAssist have two options:
- Open a support ticket to schedule a key rotation; or
- Archive360 support representatives will contact you to schedule a key rotation.
Thank you for your consideration of this Statement. If you have questions or concerns, please contact your Archive360 Sales representative or email@example.com.
James M. McCarthy | Chief Compliance Officer & General Counsel