August 28, 2021 Update:
Microsoft Security Response Center has provided an official statement regarding this vulnerability.
Please follow this link: https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/
On August 26th, Reuters published a story in which they stated that Microsoft had contacted its customers to alert them to a potential vulnerability in Azure Cosmos DB, specifically a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB.
We wish to assure our customers that Archive360 does not utilize Microsoft’s Jupyter Notebook feature, and our products and services do not leverage the affected feature. We understand that once the vulnerability was reported, Microsoft took immediate action to mitigate the vulnerability and disabled the Jupyter Notebook feature worldwide so the vulnerability may not be further exploited.
At the time of writing this statement, Microsoft has not issued any statements. However, we have confirmed with our Microsoft contacts that affected customers have been notified. If customers have not received a notification, their account was most likely not impacted. If they have diagnostic logs enabled on their account, they can review those logs for unusual IP addresses. They can also create support tickets referencing Tracking ID: GSGD-RTG.
Archive360 has immediately taken preventative steps and conducted a threat analysis. We can confirm that:
|
Some customers may have already observed activity in their system, as we have rotated keys contemporaneously with our notifications today.
Out of an abundance of caution and consistent with Microsoft’s recommendation, Archive360 is rotating all Azure Cosmos DB keys for all customers as follows:
Thank you for your consideration of this Statement. If you have questions or concerns, please contact your Archive360 Sales representative or ceo@archive360.com.
James M. McCarthy | Chief Compliance Officer & General Counsel