Critical Azure Flaw Report Rejected by Microsoft

Fixing the Flaw Without Fanfare

Microsoft faced criticism after rejecting a security researcher's report on a critical Azure Backup for AKS vulnerability in May 2024. The researcher claimed Microsoft fixed the flaw quietly after dismissal. No official CVE identifier was issued for the vulnerability.

The reported vulnerability was a privilege escalation flaw allowing cluster administrators to gain elevated access. Microsoft allegedly rejected the researcher's report, citing it didn't meet their criteria. The researcher disputes this, arguing the flaw posed a significant risk.

Microsoft fixed the vulnerability after the researcher's report, but without publicly acknowledging it. This move has sparked debate about the company's transparency regarding security issues. The researcher's concerns highlight the tension between Microsoft's security protocols and external researchers.

Should Microsoft Have Issued a CVE?

Issuing a CVE identifier is standard practice for publicly disclosed vulnerabilities. By not doing so, Microsoft may have avoided drawing attention to the flaw. However, this decision has been criticized for lacking transparency.

The consequences of Microsoft's decision are still unclear. However, the incident may impact how the company handles future security reports. It also raises questions about the balance between security and transparency.

Frequently Asked Questions

What was the reported Azure vulnerability? The vulnerability was a critical privilege escalation flaw in Azure Backup for AKS. It allowed cluster administrators to gain elevated access.

Why didn't Microsoft issue a CVE identifier? As a result, no official CVE identifier was issued.

What are the implications of Microsoft's decision? The incident may impact Microsoft's handling of future security reports. It also raises concerns about the company's transparency regarding security issues.