7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%
Microsoft recently mitigated and remediated a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. The vulnerability was found in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory. The vulnerability could have allowed an attacker to execute remote commands across Integration Runtimes.
We addressed the vulnerability with the release of the security updates to remediate CVE-20220-29972. In addition, we also worked with the third-party vendor on fixing the vulnerability in the driver which has been released with our latest updates. More information can be found on our blog.
Our current and the third-party driver fixes fully address this vulnerability. However, we have identified and are committed to additional improvements to the service, particularly around creating stronger isolation on Azure IR to further safeguard customer workloads.
Our current service provides multiple levels of isolation, and for those customers who prefer greater compute and network isolation, Microsoft offers Azure IR with Managed Virtual Network and Self-Hosted Integration Runtime.
We are continuing to work on strengthening tenant isolation across customer workloads on Azure IR without the Managed Virtual Network. Tenant isolation in Azure IR will ensure our customers’ Synapse pipeline and Azure Data Factory executions are isolated, and the exposure is contained from vulnerabilities at the application level.
No customer action is expected for this change. However, in the event customers must perform an action in response to these changes, they will be notified via Azure Service Health Alerts.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
13.3%