There is Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework used in several Azure extension you can add to your Linux workload.
Details can be found here.
But how can you list affected VM? Azure Resource Graph is the answer. It is fast, can scan all your subscriptions and be integrated in various scripting language.
But you will need to query two table virtualmachines and virtualmachines/extensions.
Resources
| where type == 'microsoft.compute/virtualmachines'
| extend
JoinID = toupper(id),
OSName = tostring(properties.osProfile.computerName),
OSType = tostring(properties.storageProfile.osDisk.osType)
| where OSType =~ 'Linux'
| join kind=leftouter(
Resources
| where type == 'microsoft.compute/virtualmachines/extensions'
| extend
VMId = toupper(substring(id, 0, indexof(id, '/extensions'))),
ExtensionName = name
) on $left.JoinID == $right.VMId
| where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
| summarize Extensions = make_list(ExtensionName) by subscriptionId, resourceGroup,name, OSName
The extension list is not complete in
where ExtensionName in ('OmsAgentForLinux', 'OMSExtension')
You will need to add the complete extension list from the Microsoft post
Edit: You can also use this script published by Microsoft on GitHub to find and update VM in your subscriptions
Top comments (1)
Thanks Oliver ! Makes my day easier :)
As per MS
So I had a conversation with MS, it seems they are planning to push the update for the extensions starting from tomorrow 9-22-2021 and targeting to complete every region within 1 week (one by one). Hope this helps some one