Upcoming improvements to Azure Data Factory and Azure Synapse Pipeline infrastructure in response to CVE-2022-29972

Executive Summary

Microsoft recently mitigated and remediated a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory. The vulnerability could have allowed an attacker to execute remote commands across Integration Runtimes.

We addressed the vulnerability with the release of the security updates to remediate CVE-20220-29972. In addition, we also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with our latest updates. More information can be found on our blog.

Our Commitment

Our current and the third-party driver fixes fully address this vulnerability. However, we have identified and are committed to additional improvements to the service, particularly around creating stronger isolation on Azure IR to further safeguard customer workloads.

Our current service provides multiple levels of isolation, and for those customers who prefer greater compute and network isolation, Microsoft offers Azure IR with Managed Virtual Network and Self-Hosted Integration Runtime.

We are continuing to work on strengthening tenant isolation across customer workloads on Azure IR without the Managed Virtual Network. Tenant isolation in Azure IR will ensure our customers’ Synapse pipeline and Azure Data Factory executions are isolated, and the exposure is contained from vulnerabilities at the application level.

No customer action is expected for this change. However, in the event customers must perform an action in response to these changes, they will be notified via Azure Service Health Alerts.