Microsoft has released updates to address a security flaw, CVE 2022-29972, which is affecting Azure Synapse and Azure Data Factory pipelines. The vulnerability could have let attackers execute remote commands across Integration Runtime (IR) infrastructure, but the patch published on April 15 was released prior to Microsoft witnessing any attacks being carried out in the wild. This bug could have been exploited to allow attackers to access Synapse workspaces and allow them to leak sensitive data including Azure’s service keys, API tokens, and passwords to other services. The vulnerability was discovered in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory.
According to Microsoft, users that have auto-updates toggled on should be updated to the most recent version and protected from the vulnerability. Users that host their own IR and had auto-updates toggled off have been notified of the attacks and warned to update their systems to the most recent version to stay protected. Other mitigation steps from Microsoft can be found here: https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972/#:~:text=command%20line%20activity.-,Customer%20Recommendations%20and%20Additional%20Support,-To%20ensure%20that