HCSEC-2020-20 - Vault Leases Created with Batch Tokens have Invalid Expiration

Bulletin ID: HCSEC-2020-20
Affected Products / Versions: HashiCorp Vault and Vault Enterprise versions 1.0 and newer; fixed in 1.4.7 and 1.5.4.
Publication Date: 24 September, 2020

Summary
HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. This vulnerability, CVE-2020-25816, was fixed in 1.4.7 and 1.5.4.

Background
Vault allows the issuance of batch token leases (documentation) that expire according to an associated time-to-life (TTL).

Details
It was observed that some batch token leases may have been issued with a longer TTL than indicated in the documentation, which states “[l]eases created by batch tokens are constrained to the remaining TTL of the batch tokens”. Vault was applying the default TTL to the new lease, instead of deferring to the batch token’s remaining TTL.

Remediation
If deemed necessary, based on deployment / use case, operators should upgrade to Vault 1.4.7 or 1.5.4, or newer.

Acknowledgement
This issue was identified by the Vault engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.