Security News > 2021 > September > Microsoft fixes flaw that could leak data between users of Azure container services

Microsoft today revealed it fixed a vulnerability in its Azure Container Instances services that could have been exploited by a malicious user "To access other customers' information."

Azure Container Instances is a serverless container environment.

Microsoft has also reminded users that credentials can be found in environment variables, secret volumes, and even in Azure file shares - so there may be a bit of tidying up to do.

We also know that only a subset of users were exposed to the flaw, because Microsoft says that if you didn't see a Service Health Notification about the issue in the Azure Portal you have nothing to worry about.

The issue is Microsoft's second Azure cross-user data leak SNAFU in the past fortnight: in late August the IT giant disclosed a flaw in its Cosmos DB allowed unauthorised read/write access to other users' databases.

Microsoft's webpage for Azure Container Instances asks, "Why trust Container Instances?" and answers by stating that Microsoft "Invests more than $1bn annually on cybersecurity research and development" and employs "More than 3,500 security experts who are dedicated to data security and privacy."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/09/azure_container_flaw/