A major vulnerability was discovered in Azure Cosmos DB earlier this month, affecting  approximately 3300 Cosmos DB customers, this includes many high profile businesses such as Citrix, Symantec and Skype.

The vulnerability was introduced in 2019 when Microsoft added Jupyter Notebook, a data visualisation feature. The is feature was turned on by default for all Cosmos DB instances in February 2021.

This security issue was discovered by Wiz who are a cloud security company, it allowed them full control over the data of several thousand Azure Cosmos DB customers.

Microsoft say it hasn’t seen any evidence of the vulnerability having been exploited in the wild, Wiz also confirmed that Microsoft disabled the vulnerability within 48 hours of it being reported. The outstanding risk here is that Microsoft cant change its customer’s primary access keys, which means if any have been harvested then customers are at risk. Any Cosmos DB customers should therefore manually change their keys in order to mitigate any risk.

Further information on the security risk can be found in this Microsoft blog article:

https://msrc-blog.microsoft.com/2021/08/27/update-on-vulnerability-in-the-azure-cosmos-db-jupyter-notebook-feature/

Information on how to reset your primary and secondary access keys can be found here:

https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key

James Harris

James Harris is Head of Service Delivery and is responsible for the Managed Services Team. He has worked in the technology space all his life and looks after clients really well.