Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Resolves Padding Oracle Vulnerability in Azure Storage SDK

As part of its July 2022 Patch Tuesday fixes, Microsoft has released an update for the Azure Storage SDK, to address a padding oracle vulnerability in client-side encryption.

As part of its July 2022 Patch Tuesday fixes, Microsoft has released an update for the Azure Storage SDK, to address a padding oracle vulnerability in client-side encryption.

The Azure Storage SDK includes all of the necessary resources that Python, .NET, or Java developers need to build Azure applications that leverage cloud computing resources.

The SDK supports client-side encryption with a customer-managed key that is stored in Azure Key Vault or in a different key store. The previous SDK release uses cipher block chaining (CBC) mode for the encryption.

Tracked as CVE-2022-30187, the security bug was identified in the SDK’s previous implementation of CBC mode and could allow an attacker to “decrypt data on the client side and disclose the content of the file or blob.”

According to Microsoft, however, an attacker looking to exploit the issue needs write access to the blob and also needs to observe decryption failures.

“The attacker would need to perform 128 attempts per byte of plain text to decrypt blob contents. We view putting this combination of qualifiers together for an attack to be rare,” the tech giant notes.

Furthermore, Microsoft says that impact from this vulnerability is low, as only a small set of customers use this client-side encryption to “encrypt their data on the client with a customer-managed key that is maintained in Azure Key Vault or another key store before uploading to Azure Storage.”

The vulnerability was mitigated with the release of a new version of Azure Storage SDK client-side encryption (v2), which became generally available on July 12, 2022. The new version uses AES-GCM for client-side encryption.

The tech giant recommends that all customers who require client-side encryption update to the newly released version, pointing out that the new release enables customers to read and write data that has been encrypted with the previous SDK version.

However, the company also notes that, in addition to updating their code to use the new SDK and client-side encryption versions, customers should also consider migrating previously encrypted data to the new client-side encryption version by “downloading it, reencrypting it, and uploading it again.”

Microsoft also underlines the fact that it is not aware of this vulnerability being exploited in attacks, crediting Google for responsibly disclosing the vulnerability.

Related: Microsoft Patch Tuesday: 84 Windows Vulns, Including Already-Exploited Zero-Day

Related: DLL Hijacking Flaw Fixed in Microsoft Azure Site Recovery

Related: Microsoft Azure Vulnerability Allowed Code Execution, Data Theft

Related: Azure Service Fabric Vulnerability Can Lead to Cluster Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet