HCSEC-2021-05 - Vault Enterprise’s DR Secondaries Exposed License Metadata Without Authentication

Bulletin ID: HCSEC-2021-05
Affected Products / Versions: Vault Enterprise 0.9.2 through 1.6.2; fixed in 1.6.3.
Publication Date: 25 February, 2021

Summary
Vault Enterprise’s /sys/license endpoint allowed the read of license metadata from Vault DR secondaries without authentication. This vulnerability, CVE-2021-27668, was fixed in Vault Enterprise 1.6.3.

Background
Vault Enterprise nodes expose the /sys/license API endpoint for access to and configuration of license information.

Details
It was discovered that the /sys/license endpoint could be read from Vault Enterprise DR secondaries without authentication. While it wasn’t possible to modify licensing configuration, or to access the license itself, licensing metadata could be read from these nodes.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.6.3 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.