Office of the Chief Information Security Officer

August 30, 2021

CosmosDB critical vulnerability

A cloud security vendor, Wiz, announced on Friday (8/26) that they discovered a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, that grants read/write access for every database on the service to attackers who find and exploit the bug. They named the vulnerability “Chaos DB.”

Wiz made the discovery two weeks ago, but they say that the vulnerability has been lurking in the system for “at least several months, possibly years.”

What is Cosmos DB?

Cosmos DB is a cloud based database service in Microsoft’s Azure platform. It is used for app development and was designed to provide high performance and low latency.

What is #ChaosDB?

#ChaosDB is a new vulnerability deemed critical that affects some Cosmos DB customers. The vulnerability allows for remote account access and takeover, giving the attacker full administrative control of a customer’s database. This includes the ability to view and edit customer data. The vulnerability only affects customers who had Jupyter Notebooks enabled. All Cosmos DB instances created after January 2021 have this feature enabled by default. (Jupyter Notebooks is a client based web application used to program code.)

Has the vulnerability been fixed?

Microsoft took quick action to fix the vulnerability after learning about it from security researchers. There are no known cases of the vulnerability having been exploited by malicious actors. However, since the vulnerability existed for months, it should be assumed that malicious actors had also discovered the vulnerability and took advantage of it.

What actions do customers need to take?

Customers should:

  • Regenerate their Cosmos DB Primary Key (see this Microsoft article for guidance).
  • Review all past activity on their Cosmos DB account to examine it for suspicious activity.

Was the UW affected?

Microsoft notified all customers that were affected during a period of about a week. However, since the vulnerability existed for a longer period of time, it is thought that the number of impacted customers is higher.

More information

  • Description from security researchers who discovered the vulnerability:

Critical Vulnerability in Microsoft Azure Cosmos DB

Protecting your environment from ChaosDB

  • This Microsoft article provides an overview of data access control in Azure Cosmos DB:

Secure access to data in Azure Cosmos DB

More News & Alerts