Microsoft Resolves Padding Oracle Vulnerability in Azure Storage SDK


Microsoft has updated the Azure Storage SDK to address a padding oracle vulnerability in client-side encryption as part of its July 2022 Patch Tuesday patches.

All of the tools that Python,.NET, or Java developers require to create Azure apps that make use of cloud computing resources are included in the Azure Storage SDK. With a customer-managed key that is kept in Azure Key Vault or another key store, the SDK allows client-side encryption. The encryption method used by the previous SDK release is called cypher block chaining (CBC).

The security flaw, registered as CVE-2022-30187, was found in the SDK’s earlier implementation of CBC mode. However, according to Microsoft, a hacker attempting to exploit the flaw need write access to the blob as well as the ability to spot decryption errors.

Read More: