HCSEC-2021-04 - Vault Enterprise’s DR Secondaries Allowed Raft Peer Removal Without Authentication

Bulletin ID: HCSEC-2021-04
Affected Products / Versions: Vault Enterprise 1.6.0 and 1.6.1; fixed in 1.6.2.
Publication Date: 29 January, 2021

Vault Enterprise 1.6.0 and 1.6.1 allowed the remove-peer raft operator command to be executed against DR secondaries without authentication. This vulnerability, CVE-2021-3282, was fixed in Vault Enterprise 1.6.2.

Vault Enterprise clusters configured with integrated storage (also known as the Raft storage engine) and replication use the Raft consensus algorithm to ensure that all nodes have replicated the same data.

It was discovered that the remove-peer raft operator command could be executed against DR secondaries without authentication. While it isn’t possible to remove the final node, it may still be possible to compromise the cluster’s availability.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.6.2 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was discovered by the Vault engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.