Microsoft’s latest guidelines on the recently disclosed OMI vulnerabilities has asked users to patch the affected Azure services.
The patch revealed on Tuesday fixed for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the open source software agent called Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.
The OMI is automatically deployed inside Linux virtual machines (VM) when users enable certain Azure services. “The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management,” reads a company blog.
Rather patching all affected Azure services, Microsoft has set out the advisory stating to update six of them, seven others must be updated by users themselves.
“Customers must update vulnerable extensions for their Cloud and On-Premises deployments as the updates become available per schedule outlined in table below. New VM’s in these regions will be protected from these vulnerabilities post the availability of updated extensions. For cloud deployments with auto update turned on, Microsoft will actively deploy the updates to extensions across Azure regions as per the schedule in the table below. The automatic extension updates will be transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled.”