Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Bug Advisory: Authentication Failures #377

Open
pemari-msft opened this issue Dec 31, 2020 · 5 comments
Open

Critical Bug Advisory: Authentication Failures #377

pemari-msft opened this issue Dec 31, 2020 · 5 comments

Comments

@pemari-msft
Copy link
Member

pemari-msft commented Dec 31, 2020
edited by vinjiang
Loading

Due to a latent bug in the CPP REST SDK, date strings are being incorrectly generated as a part of storage requests. This means that requests originating today, 31 December 2020 (UTC) will see persistent 403 errors returned from the storage service. The fix in the underlying CPP REST SDK is being released (2.10.17). Please upgrade your dependency on CPP REST SDK to 2.10.17 ASAP to mitigate this issue according to the instructions in the comment below. Bearer token authentication is not affected. The issue will also self-mitigate on 1 Jan 2021. We apologize for the inconvenience.
@vinjiang vinjiang pinned this issue Dec 31, 2020
@vinjiang
Copy link
Member

To apply the fix in your application,

  • If you're using vcpkg to install azure-storage-cpp package, we recommend you upgrade vcpkg to latest and reinstall azure-storage-cpp and cpprestsdk. Note that this will also upgrade azure-storage-cpp to the latest version of 7.5.0.
  • If you build azure-storage-cpp and cpprest from source code by yourself. You should download the latest cpprest sdk (2.10.17), build and overwrite the older version. You don't need to upgrade azure-storage-cpp package in this case.

@rhythmnewt
Copy link

Thank you for this solution. We're working on rolling out a fix in our environments.

@bandwiches
Copy link

For anyone who stumbles upon this...

The issue will also self-mitigate on 1 Jan 2021

4 years later (12/31/2024) and this issue is still open and still persists.

From support:

Impact Statement: Starting at 06:05 UTC on 31 December 2024, we detected a subset of Azure Storage accounts to be impacted by authentication and authorization errors (403). You have been identified as one of the customers who has been impacted due to this issue. Our engineering team has investigated this further, and this issue is due to the requests coming from specific deprecated versions of Azure Storage CPP SDKs ... Please note that the issue will also self-mitigate on 1 Jan 2025, although we do recommend the customers upgrade the SDKs to the latest version.

@Justsvetoslavov
Copy link

@bandwiches It is an issue that will persist on every leap year on 31st of December.

You can mitigate this by acquiring a patched version from vcpkg (7.5.0#6, based on a latest release tag for example, which has the affected sub-module updated to v2.10.19) or manually update the affected sub-module - cpprestsdk (to 2.10.17 or higher) and create a custom package.

Hopefully I was able to be of some help. Cheers!

@bandwiches
Copy link

Very helpful, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rhythmnewt @pemari-msft @vinjiang @bandwiches @Justsvetoslavov