August 2021 CosmosDB Vulnerability | Pure CBS on Azure

Last updated
Save as PDF

Security Analysis of CosmosDB Vulnerability in Azure

Cloud Block Store is not vulnerable to this exploit.

The exploit requires the deployment of CosmosDB to have the “Jupyter Notebook” feature to be enabled. When that feature was enabled, it was possible for access to be gained once a malicious actor escalated their privileges from their own Notebook container to another customer Notebook container that existed on the same backend physical host. Azure did in fact enable the Notebook feature by default for CosmosDB instances created via the SQL API starting February 2021, so any CosmosDB account created since then (or one that had it manually enabled) could be conceptually vulnerable.

This does not affect Cloud Block Store for two reasons: one, Cloud Block Store does not use the SQL API to deploy CosmosDB accounts, so the Notebook feature is not enabled on the account, nor does Cloud Block Store make use of it. Instead, the Table API is used to deploy CosmosDB--default enablement of the Notebook feature was not offered with CosmosDB deployed in this manner. Furthermore, Cloud Block Store does not use/rely on any existing CosmosDB account (such as a customer-owned one), so a customer would not have access to enable the Notebook feature on their own.

While Pure Storage is not vulnerable to this issue, we are still taking actions to provide further protection--such as relocating CosmosDB to behind the firewall. This project started prior to knowledge of this exploit. This change incidentally now is a general recommendation from Azure. This will help ensure additional safety of the CosmosDB account in the case of future issues.

Lastly, no customer data nor Cloud Block Store authentication information is present in CosmosDB--and malicious access could not provide access to any data stored on Cloud Block Store, nor any mechanism to delete/alter it.

For further reading, please reference the below.