Microsoft resolves vulnerability by updating Azure Storage SDK in its latest security patch

Microsoft has released an update for the Azure Storage SDK addressing the padding oracle vulnerabilities as part of its July 2022 Patch Tuesday. The Azure Storage SDK consists of resources for Python, .NET, or Java developers in order to build Azure applications to access the premium quality cloud storage services.

The security researchers said that the security bug has been tracked as CVE-2022-30187 which has been previously used for cipher block chaining (CBC) mode of operation to allow the attacker in the system. The SDK is known to support client-side encryption with a customer-managed key which can be stored in Azure Key Vault. However,  during the attacks SDK released CBC mode for encryption to “decrypt data on the client side and disclose the content of the file or blob.”

Microsoft said that the attackers used to look for the issues related to writing access to the blob and decryption failures. They said, “The attacker would need to perform 128 attempts per byte of plain text to decrypt blob contents. We view putting this combination of qualifiers together for an attack to be rare.”

The tech giant said that the client-side encryption has helped the consumers to encrypt their data on the customer-managed key maintained by Azure Key Vault or another key store such as Azure Storage. As the tech giant released the new updates for Azure Storage SDK, the vulnerability has been mitigated considerably. The new version has also let the customers read and write data that has been encrypted with the previous SDK version.

The company also added that the client should migrate previously encrypted data to the new client-side encryption version by downloading, re-encrypting, and uploading it.  The company has also credited Google for disclosing the vulnerability for the betterment of the system.




Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More