Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Posted on Thursday September 16, 2021  |  MSRC alerts

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to…


Coordinated disclosure of vulnerability in Azure Container Instances Service

Posted on Wednesday September 08, 2021  |  MSRC alerts

Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI). Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal. If you did not receive a notification, no action is required with respect to this vulnerability.


Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

Posted on Friday August 27, 2021  |  MSRC alerts

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. We mitigated the vulnerability immediately.   Our investigation indicates that no customer data was accessed because of this…


Announcing the Launch of the Azure SSRF Security Research Challenge

Posted on Thursday August 19, 2021  |  MSRC alerts

Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional…


Point and Print Default Behavior Change

Posted on Tuesday August 10, 2021  |  MSRC alerts

Our investigation into several vulnerabilities collectively referred to as “PrintNightmare” has determined that the default behavior of Point and Print does not provide customers with the level of security required to protect against potential attacks. Today, we are addressing this risk by changing the default Point and Print driver installation and update behavior to require…


Congratulations to the MSRC 2021 Most Valuable Security Researchers!

Posted on Wednesday August 04, 2021  |  MSRC alerts

The MSRC Researcher Recognition Program offers public thanks and acknowledgement to the researchers who help protect customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Security Researchers (MVRs) based on the impact, accuracy, and volume of their reports. Congratulations to each of our MSRC…


Page:   12345...28

Celebrating 30 Years

Managed Internet Connections

Contact Us