A couple of weeks ago, security researchers highlighted a major flaw in Azure Cosmos DB that potentially exposed data belonging to several Fortune 500 companies. Although that issue was fixed, Microsoft has today published an advisory about yet another security vulnerability in the Azure Container Instances (ACI) service that could leak customer data across the same clusters.
A snapshot from Microsoft's Build 2017 presentation
Microsoft says that the flaw in the ACI service was privately reported by security researchers at Palo Alto Networks. The two companies then worked under the guidelines of Coordinated Vulnerability Disclosure (CVD) to patch the issue and inform potentially affected customers.
Although Microsoft didn't go into the technical details, it says that the vulnerability in question could allow a customer to access the data of another customer on the same ACI clusters. The Redmond tech giant does not explain the scale or scope of the security flaw either, and instead, just says that customers who were potentially affected by the "researcher activities" have been notified via Service Health Notifications in the Azure Portal. The company reports that it has found no indication that customer data was accessed by leveraging this flaw, but notifications are being sent out on a cautionary basis.
If you didn't receive a notification, Microsoft says that you have no cause for worry as the issue in question has been patched. However, as a "pre-cautionary" measure, customers have been requested to revoke privileged credentials deployed to the platform prior to August 31, follow ACI security baselines, and configure Azure Service Health Alerts.