Researchers on Thursday discovered a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server.
In a blog post, Wiz researchers said they reported the vulnerability to Microsoft in January. Microsoft confirmed that the issue has been fully mitigated and no action is required by Azure customers. Microsoft also added that it is not aware of any attempt to exploit this vulnerability.
Dubbed #ExtraReplica, the vulnerability allows unauthorized read access to other customers' PostgreSQL databases, bypassing tenant isolation. Wiz researchers say if exploited, a malicious actor could have replicated and gained read access to Azure PostgreSQL Flexible Server customer databases.
As more services are offered in the cloud, we’re reminded that the cloud is just someone else’s computer, but that it’s also shifting to be someone else’s software, said Davis McCarthy, principal security researcher at Valtix.
“The Azure database vulnerability shows us that the more trust we put in the cloud, the more likely we are to uncover new attack surfaces,” McCarthy said. “Whether it’s the baseless assumption that cloud workloads don’t need a layered defense, or that the cloud service provider is invulnerable — the enterprise needs to reframe its idea of security to benefit from the scalability the cloud offers.”
Tim Wade, deputy CTO at Vectra, added that inevitably, risks related to crossing data security boundaries in the cloud will surface.
“Thankfully, the risk reductions associated with transitioning away from legacy IT infrastructure and embracing modern, resilient cloud architectures makes that a fair price to pay,” Wade said.