Critical Bug Advisory: Authentication Failures

[pemari-msft]

Due to a latent bug in the CPP REST SDK, date strings are being incorrectly generated as a part of storage requests. This means that requests originating today, 31 December 2020 (UTC) will see persistent 403 errors returned from the storage service. The fix in the underlying CPP REST SDK is being released (2.10.17). Please upgrade your dependency on CPP REST SDK to 2.10.17 ASAP to mitigate this issue according to the instructions in the comment below. Bearer token authentication is not affected. The issue will also self-mitigate on 1 Jan 2021. We apologize for the inconvenience.

[vinjiang]

To apply the fix in your application,

• If you're using vcpkg to install azure-storage-cpp package, we recommend you upgrade vcpkg to latest and reinstall azure-storage-cpp and cpprestsdk. Note that this will also upgrade azure-storage-cpp to the latest version of 7.5.0.
• If you build azure-storage-cpp and cpprest from source code by yourself. You should download the latest cpprest sdk (2.10.17), build and overwrite the older version. You don't need to upgrade azure-storage-cpp package in this case.

[rhythmnewt]

Thank you for this solution. We're working on rolling out a fix in our environments.

[bandwiches]

For anyone who stumbles upon this...

The issue will also self-mitigate on 1 Jan 2021

4 years later (12/31/2024) and this issue is still open and still persists.

From support:

Impact Statement: Starting at 06:05 UTC on 31 December 2024, we detected a subset of Azure Storage accounts to be impacted by authentication and authorization errors (403). You have been identified as one of the customers who has been impacted due to this issue. Our engineering team has investigated this further, and this issue is due to the requests coming from specific deprecated versions of Azure Storage CPP SDKs ... Please note that the issue will also self-mitigate on 1 Jan 2025, although we do recommend the customers upgrade the SDKs to the latest version.