6 votes

ChaosDB explained: Walkthrough of Azure's Cosmos DB vulnerability

2 comments

  1. [2]
    spit-evil-olive-tips
    Link
    the vulnerability was originally made public back in August

    the vulnerability was originally made public back in August

    #ChaosDB is an unprecedented critical vulnerability in the Azure cloud platform that allows for remote account takeover of Azure’s flagship database - Cosmos DB. The vulnerability, which was disclosed to Microsoft in August 2021 by Wiz Research Team, gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn't require any previous access to the target environment, and impacts thousands of organizations, including numerous Fortune 500 companies.

    3 votes
    1. dootdoot
      Link Parent
      It’s easy to judge from external perspective. Nonetheless this vulnerability seems egregious to me. Execute user supplied code with root privilege?? Were corners cut due to schedule limitations?...

      It’s easy to judge from external perspective. Nonetheless this vulnerability seems egregious to me. Execute user supplied code with root privilege?? Were corners cut due to schedule limitations? There needs to be an internal postmortem because this standard is not acceptable.

      2 votes