Skip to main content

SynLapse: Azure Synapse Analytics vulnerability created prolonged tenant separation risks

by Eamon McCarthy Earls
Assistant Editor,
June 30 2022

Security researchers often find cloud software vulnerabilities from the major cloud providers and share those findings, both with the companies, with their own clients, and, when needed, with the public. But a recently discovered and resolved vulnerability in Microsoft Azure discovered by researchers at Orca Security led to a prolonged period in which customers may have been at risk for malicious attacks.

Tzah Pahima, a researcher with cloud computing security provider with Orca Security discovered the Azure security vulnerability dubbed “SynLapse” in January 2022. It affected Azure Synapse Analytics and Azure Data Factory, allowing attackers to bypass tenant separation and obtain credentials for other Synapse customer accounts, takeover Synapse workspaces, execute code on targeted customer machines, or leak customer credentials to external data sources.

Synapse Analytics is an Azure service that pulls and processes data from customer data sources like Data Lake, Amazon S3, or Azure Cosmos DB and the service is subdivided into workspaces. Customers connect using the integration runtime, self-hosted on-prem or hosted through Azure Data Factory Integration Runtime.

According to Orca, Microsoft took 100 days to fix the SynLapse. The Orca team reported notifying the Microsoft Security Response Center (MSRC) about the vulnerability on January 4 and shared keys and certificates it was able to extract. The MSRC team sought additional information in February and March and ultimately deployed a patch at the end of March. But on March 30, Orca was able to bypass the patch. Microsoft paid Orca $60,000 for the find. As late as April 10, Orca was able to bypass a second patch. Finally, the MSRC team put out a third patch on April 15, resolving the attack vectors.

Pahima initially discovered the vulnerability when researching self-hosted on-prem integration runtimes and found a shell injection vulnerability leading to a Magnitude Simba Redshift ODBC connector. The SAML authentication plugin for one of the connectors contained the shell injection, resulting in a shell command vulnerable to injections. With the third patch issued in April, Synapse no longer allows customers to use an Azure-hosted integration runtime. He wrote:

FREE Membership Required to View Full Content:

Joining gives you free, unlimited access to news, analysis, white papers, case studies, product brochures, and more. You can also receive periodic email newsletters with the latest relevant articles and content updates.
Learn more about us here

About Eamon McCarthy Earls

As the assistant editor at and, Eamon helps to oversee editorial content on the site and supports site management and strategy. He can be reached at

Before joining, Eamon was editor for at TechTarget, where he covered networking technology, IoT, and cybersecurity. He is also the author of multiple books and previously contributed to publications such as the Boston Globe, Milford Daily News, and DefenceWeb.