CVE-2023-21531

FAQ

Which Azure service(s) does this affect?

This vulnerability affects Azure Service Fabric clusters and standalone Service Fabric clusters orchestrated by Docker. Only users who implement the Docker app containers can be affected.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could elevate their privileges and gain control over the Service Fabric cluster. This vulnerability does not allow the attacker to elevate privileges outside of the compromised cluster.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to first compromise the Service Fabric container and for the targeted environment to be architected in a unique manner.

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

How do I protect myself from this vulnerability?

To be protected from this vulnerability customers must perform the following actions:

1. Manually upgrade your Service Fabric Cluster runtime to the latest version(s) provided in 8.2 CU8, 9.0 CU5, or 9.1 CU1 as appropriate. Guidance on how to perform an update can be found here: Upgrade the Service Fabric version that runs on your cluster.

2. Manually enable and configure the BlockAccessToWireServer feature flag on your Service Fabric Clusters.

NOTE: This feature restricts connectivity to the internal Azure platform resource (168.63.129.16). Customers are highly encouraged to review their cluster endpoints and ensure they are not making any calls or requests to 168.63.129.16 prior to enabling this feature to prevent service interruptions.

What Service Fabric versions are protected against this vulnerability?

The Service Fabric versions listed below provide customers the ability to enable the BlockAccessToWireServer feature flag which will protect against this vulnerability. Customers without auto-update enabled must update their Service Fabric resources as appropriate.