Update: Vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. Microsoft mitigated the vulnerability immediately.

Microsoft's investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers. Microsoft have notified the customers whose keys may have been affected during the researcher activity to regenerate their keys.

Part of any robust security posture is working with researchers to help find vulnerabilities, so they can fix them before they can be used. The Wiz researcher who reported this vulnerability worked with Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD).

Which Azure Cosmos DB accounts were potentially affected?:

This vulnerability affects every Cosmos DB resource created after January 2021, as the Jupyter Notebook feature was enabled by default.

Notifications have been sent to all customers that could be potentially affected due to researcher activity, advising they regenerate their primary read-write key. Other keys including the secondary read-write key, primary read-only key, and secondary read-only key were not vulnerable.

If you did not receive an email or in-portal notification, there is no evidence any other external parties had access to your primary read-write account key.  If you have diagnostic logs enabled, you can also review the logs for unusual IP addresses.  Our suggestion is to enable Diagnostic Logging and Azure Defender where available and periodically rotate your keys.

How to regenerate your primary read-write key:

Though no customer data was accessed, it is recommended you regenerate your primary read-write keys following the steps described in this technical documentation.

It is also recommended as a best practice:

  1. All Azure Cosmos DB customers use a combination of firewall rules, vNet, and/or Azure Private Link on their account. These network protection mechanisms prevent access from outside your network and unexpected locations.
  2. In addition to implementing network security controls, we encourage the use of Role Based Access Control. Role Based Access Control allows per user and security principal access control to Azure Cosmos DB – those identities can be audited in Azure Cosmos DB’s diagnostic logs.
  3. If you cannot use Role Based Access Control, we recommend implementing regularly scheduled key rotations.
  4. You can find additional security best practices in the Azure Cosmos DB security baseline documentation.

Actions Taken:

Microsoft are taking this vulnerability seriously, following their incident response process and are actively exploring implementing additional safeguards including updating the threat model and adding additional monitoring to detect unintended data access. 

For more information, this resource provides an in-depth explanation.