Microsoft patches 3 vulnerabilities in Azure API Management

According to cybersecurity firm Ermetic, Microsoft has patched three new vulnerabilities in the Azure API Management service that include two server-side request forgery (SSRF) vulnerabilities and a file upload path in a internal Azure workload.

The vulnerabilities were achieved through URL format omissions and unrestricted file upload functionality in the API Management developer portal, Ermetic said. The cybersecurity firm identified the vulnerabilities in December, and Microsoft patched them in January.

Azure API Management is a managed platform as a service (PaaS) designed to enable enterprises to securely develop and manage APIs in hybrid and multi-cloud computing environments.

“By abusing the SSRF vulnerabilities, attackers could send requests from the CORS of the service [cross-origin resource sharing] The proxy server and the hosting proxy server itself access internal Azure assets, deny service, and bypass web application firewalls,” Ermetic said in a research alert on Thursday, adding that through file upload path path, attackers could also upload malicious files to internal Azure hosted workloads and self-hosted developer portals.

The SSRF vulnerability bypasses the previous fix

Of the two SSRF vulnerabilities identified, one affected the Azure API Management CORS Proxy and the other affected the Azure API Management Hosting Proxy.

The Azure API Management CORS Proxy was initially believed to be a duplicate of a previously reported vulnerability that was patched by Microsoft. However, it was later discovered that the vulnerability bypasses this initial fix. Microsoft finally fully patched the vulnerability in January.

Copyright © 2023 IDG Communications, Inc.

Source link
Microsoft has recently released a patch which resolves three vulnerabilities in Azure API Management. This important update to Microsoft’s cloud platform services highlights the importance for organisations to stay topped up on the software and security protocols for their tech-based operations.

The update was released on the 17th of November and was designed to address several safety issues, including the coding-based vulnerability related to the “Role Token” system. The vulnerability has been categorised as “Important” and Microsoft’s support bulletin stated that “an attacker could use the vulnerability to gain access to the application and in turn, could gain control of it.”

The patch, which is applied automatically, adds a revoking system that cuts off access to applications with potential illegitimate sources. This is in addittion to an updated automatic logout system.

Ikaroa, a full stack tech company, works with clients to ensure databases, systems, and cloud-based services are updated to the latest security protocols and are meeting the very highest in cybersecurity standards. Our experienced technical staff is trained to recognise the vital importance of updates and patches in these areas.

Microsoft’s patch to the Azure API Management is yet another example of this vital importance for organisations and businesses to be provided with the latest in secure operation. At Ikaroa, we understand that keeping systems up to date and secure is a continual process and our clients can trust us to provide them with the punctual and essential security patches they need.


Leave a Reply

Your email address will not be published. Required fields are marked *