Summary
Today, Microsoft released new versions of the Azure Key Vault libraries and Azure Identity libraries as part of the Azure Software Development Kit (SDK) that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. While most applications using the Azure SDK libraries are safe, applications which take user provided Key Vault or Managed HSM resource URIs may be at risk of leaking authentication information if URIs are not validated correctly.
Recommended Customer Actions
All customers should take action to update to the latest Azure Key Vault libraries and Azure Identity libraries for defense in depth feature updates.
-
Additionally, customers should validate that applications that accept user provided (potentially untrusted) URIs for a customer-owned Azure Key Vault or Azure Managed HSM are following best practices outlined in the technical blog. Examples include, but are not limited to:
- URIs to keys for encryption at rest, often referred to as custom-managed keys (CMK).
- URIs to secrets to configure an application, including API keys, connection strings, etc.
Additional References
- Azure Key Vault library technical blog
- Azure Identity library technical blog
- Questions? Open a support case through the Azure Portal at aka.ms/azsupt