Summary

Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. While most applications using the SDKs are safe, applications which take user provided Key Vault or Managed HSM resource URIs may be at risk of leaking authentication information if URIs are not validated correctly.

Recommended Customer Actions

All customers should take action to update to the latest Azure Key Vault SDK and Azure Identity SDK for defense in depth feature updates.

• Additionally, customers should validate that applications that accept user provided (potentially untrusted) URIs for a customer-owned Azure Key Vault or Azure Managed HSM are following best practices outlined in the technical blog. Examples include, but are not limited to: 
  • URIs to keys for encryption at rest, often referred to as custom-managed keys (CMK).
  • URIs to secrets to configure an application, including API keys, connection strings, etc.

Additional References

• Azure Key Vault technical blog
• Azure Identity technical blog
• Questions? Open a support case through the Azure Portal at aka.ms/azsupt