HCSEC-2021-02 - Vault API Endpoint Exposed Internal IP Address Without Authentication

Bulletin ID: HCSEC-2021-02
Affected Products / Versions: Vault and Vault Enterprise 1.4.0 and newer; fixed in 1.6.2 & 1.5.7.
Publication Date: 29 January, 2021

Summary
Vault and Vault Enterprise (“Vault”) would disclose the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. This vulnerability, CVE-2021-3024, was fixed in Vault 1.6.2 & 1.5.7.

Background
Vault’s API is the primary means by which a Vault node is controlled, and is utilized by the Vault UI and CLI.

Details
Certain invalid HTTP requests submitted against Vault’s API were found to result in responses that included the API_ADDR field from Vault’s configuration.

Vault’s API request handling and response generation was updated to prevent this exposure.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.6.2, 1.5.7, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.