HCSEC-2020-13 - Vault Proxy Environment Variable Was Logged to STDOUT

Bulletin ID: HCSEC-2020-13
Affected Products / Versions: Vault and Vault Enterprise; fixed in 1.3.6 and 1.4.2.
Publication Date: 21 May, 2020

Summary
Vault and Vault Enterprise (“Vault”) logged proxy environment variables that potentially included sensitive credentials. This vulnerability, CVE-2020-13223, was fixed in Vault 1.3.6 and 1.4.2.

Background
Vault respects the HTTP_PROXY and HTTPS_PROXY environment variables.

Details
When HTTP_PROXY and HTTPS_PROXY variables were configured, Vault logged them to STDOUT. In situations where these environment variables contained proxy server credentials, those were included in the Vault log.

Remediation
If deemed necessary, based on deployment / use case and conditions described above, operators should upgrade to Vault or Vault Enterprise 1.3.6 or 1.4.2, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Additionally, consider reviewing your Vault logs for proxy server credential disclosure and rotating those credentials if determined necessary.

Acknowledgement
This issue was identified by an external party who reported it privately to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.