* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Posture Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/)
* Protect Against Critical ...

# Protect Against Critical Azure Cosmos DB Vulnerability

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprotect-against-critical-azure-cosmos-db-vulnerability%2F)  
[](https://twitter.com/share?text=Protect+Against+Critical+Azure+Cosmos+DB+Vulnerability&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprotect-against-critical-azure-cosmos-db-vulnerability%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fprotect-against-critical-azure-cosmos-db-vulnerability%2F&title=Protect+Against+Critical+Azure+Cosmos+DB+Vulnerability&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/protect-against-critical-azure-cosmos-db-vulnerability/&ts=markdown)  
\[\](mailto:?subject=Protect Against Critical Azure Cosmos DB Vulnerability)  
Link copied  
By [David Okeyode](https://www.paloaltonetworks.com/blog/author/david-okeyode/?ts=markdown "Posts by David Okeyode")  
Sep 17, 2021  
5 minutes  
[Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Azure](https://www.paloaltonetworks.com/blog/tag/azure/?ts=markdown)  
[chaos DB](https://www.paloaltonetworks.com/blog/tag/chaos-db/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[cosmos](https://www.paloaltonetworks.com/blog/tag/cosmos/?ts=markdown)  
[vulnerability exploit](https://www.paloaltonetworks.com/blog/tag/vulnerability-exploit/?ts=markdown)

## Azure Cosmos DB Vulnerability

#### What Happened?

Cloud security researchers recently discovered a critical vulnerability that exploits the Azure Cosmos DB Jupyter notebook feature to escalate access into other customer notebooks, harvest the Cosmos DB keys and access their data. Microsoft has since disabled this feature for all customers and sent out notification emails to customers that could be potentially impacted.

How does it Impact Customers?

This vulnerability allows any Azure user with a working exploit to access, update and delete data in affected Cosmos DB databases without proper mitigations. It could also allow access to read and modify the metadata of the affected Cosmos DB account.

![Cosmos DB Customer Impact](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/09/diagram-description-automatically-generated-4.png)
Cosmos DB Customer Impact

#### How Can Prisma Cloud help?

If you are a Cosmos DB user, it is a good practice to rotate your keys as soon as possible even if you have not been notified by Microsoft as an impacted user. What can you do if you've had the affected feature enabled in the past apart from urgently regenerating your CosmosDB account keys? If you are a Prisma Cloud user, you can investigate your Azure Logs for suspicious activities and ensure that you have mitigation measures in place to protect yourself against future cross-tenant vulnerabilities. Below are a set of recommendations.

#### Investigate with Prisma Cloud

1. Identify Cosmos DB databases across all your Azure subscriptions that could be vulnerable to this. If you are a Prisma Cloud user, use the query below to investigate this.

Evaluate with RQL: config from cloud.resource where cloud.type = 'azure' AND [api.name](http://api.name/) = 'azure-cosmos-db'

2. Verify that your Cosmos DB keys have been recently regenerated. You can use the query highlighted below to quickly verify this in Prisma Cloud. Anomalies will also be highlighted by the built-in ML threat detection capabilities if the action was performed unusually.

Evaluate with RQL: event from cloud.audit\_logs where cloud.type = 'azure' AND cloud.service = 'microsoft.documentdb' AND json.rule = $.status.value = 'Succeeded' AND $.properties.message = 'Microsoft.DocumentDB/databaseAccounts/regenerateKey/action'

3. Review Cosmos DB key access events by non-user identities. The vulnerability in this case allowed a Jupyter notebook (non-user identity) to read the access keys of Cosmos DB databases with the impacted feature enabled. Prisma Cloud users can evaluate this using the query below:

Evaluate with RQL: event from cloud.audit\_logs where cloud.type = 'azure' AND cloud.service = 'microsoft.documentdb' AND json.rule = $.status.value = 'Succeeded' AND $.properties.message = 'Microsoft.DocumentDB/databaseAccounts/readonlykeys/action'

#### Mitigate the Risks by Improving Your Cosmos DB Security Posture

##### 1. Implement CosmosDB firewall at a minimum OR preferably virtual network integration.

This ensures that network access is only possible from trusted public IP addresses or from your private virtual network in Azure. Let me be very clear on this - There is no reason to allow UNRESTRICTED network access to your platform databases! This is standard best practice that in my experience, many organizations do not implement. If for no reason, use this as an additional level of protection in situations like this!! This way, even if an attacker gets their hands on a CosmosDB access key, they will still need to compromise a trusted network to use the key for authentication.

Evaluate using RQL: config from cloud.resource where cloud.type = 'azure' AND [api.name](http://api.name/) = 'azure-cosmos-db'AND json.rule = properties.ipRangeFilter is empty and properties.virtualNetworkRules\[\*\] does not exist and properties.privateEndpointConnections\[\*\] does not exist

##### 2. Prevent management plane changes for clients using key based authentication.

CosmosDB access keys are mainly used by applications to access data in CosmosDB containers. It is rare for organizations to have use cases where the keys are used to make management changes. To disable this capability, you can set the following account-level property - "disableKeyBasedMetadataWriteAccess": true. This can be done using an ARM template, Azure CLI or Azure PowerShell

Evaluate using RQL: config from cloud.resource where cloud.type = 'azure' AND [api.name](http://api.name/) = 'azure-cosmos-db'AND json.rule = properties.disableKeyBasedMetadataWriteAccess is false

Azure CLI: az cosmosdb update --name \<CosmosDBAccountName\> --resource-group \<ResourceGroupName\> --disable-key-based-metadata-write-access true

Azure PowerShell: Update-AzCosmosDBAccount -ResourceGroupName \<ResourceGroupName\> -Name \<CosmosDBAccountName\> -DisableKeyBasedMetadataWriteAccess true

##### 3. Disable local authentication for SQL API CosmosDB accounts.

The CosmosDB service currently supports five API - Core (SQL), Table, MongoDB, Cassandra, Gremlin. Of all these five APIs, only the Core (SQL) one allows identity-based access using Azure AD with RBAC. When this is implemented, a customer can disable long-lived access keys by updating the properties of the CosmosDB account using an ARM template (not yet available through the portal).

Evaluate using RQL: config from cloud.resource where cloud.type = 'azure' AND [api.name](http://api.name/) = 'azure-cosmos-db' AND json.rule = properties.EnabledApiTypes equals "Sql"

### Learn More with a Free Trial

Prisma Cloud helps organizations scale their cloud network security efforts. To learn more about how Prisma Cloud can help you, check out [Why Prisma Cloud](https://www.paloaltonetworks.com/prisma/whyprisma).

To get valuable hands-on experience with this Cloud Network Security capability, [request a 30-day trial](https://www.paloaltonetworks.com/prisma/request-a-prisma-cloud-trial).

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Palo Alto Networks Conformance to the NCSC Cloud Security Principles](https://www2.paloaltonetworks.com/blog/2023/01/conformance-to-the-ncsc-cloud-security-principles/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Provides New Extensive Use Cases for Azure Customers](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-provides-new-extensive-use-cases-for-azure-customers/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Virtual Firewall ROI --- US Signal and Guest from Forrester Explain](https://www2.paloaltonetworks.com/blog/2022/07/virtual-firewall-roi/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### VM-Series Virtual Firewalls Integrate with Azure Gateway Load Balancer](https://www2.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-balancer/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Cloud Shift Is Now: Boost Your Enterprise Security Portfolio](https://www2.paloaltonetworks.com/blog/2021/02/cloud-shift/)

### [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 8 Azure Security Best Practices](https://www2.paloaltonetworks.com/blog/2019/03/8-azure-security-best-practices/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language