Today, Microsoft released new versions of the Azure Key Vault libraries and Azure Identity libraries as part of the Azure Software Development Kit (SDK) that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. While most applications using the Azure SDK libraries are safe, applications which take user provided Key Vault or Managed HSM resource URIs may be at risk of leaking authentication information if URIs are not validated correctly.
Additionally, customers should validate that applications that accept user provided (potentially untrusted) URIs for a customer-owned Azure Key Vault or Azure Managed HSM are following best practices outlined in the technical blog. Examples include, but are not limited to:
- URIs to keys for encryption at rest, often referred to as custom-managed keys (CMK).
- URIs to secrets to configure an application, including API keys, connection strings, etc.