HCSEC-2021-10 - Vault’s Cassandra Integrations Did Not Validate TLS Certificates

Bulletin ID: HCSEC-2021-10
Affected Products / Versions: Vault and Vault Enterprise; fixed in 1.6.4 and 1.7.1.
Publication Date: April 21, 2021

Summary
Vault and Vault Enterprise (“Vault”) Cassandra integrations, a Vault storage backend and database secrets engine plugin, did not validate TLS certificates when connecting to Cassandra clusters. This vulnerability, CVE-2021-27400, was fixed in Vault and Vault Enterprise 1.6.4 and 1.7.1.

Background
Vault integrates with Apache Cassandra, an open-source NoSQL database, in two ways. The Cassandra storage backend is used to persist Vault’s data in a Cassandra cluster, and the Cassandra database secrets engine plugin allows dynamic generation of database credentials based on configured roles for the Cassandra database.

Details
Vault’s Cassandra integrations did not have TLS certificate validation enabled for connections to Cassandra clusters. As a result, Vault may have connected to Cassandra clusters without adequately verifying the trustworthiness of the remote service and connection.

Remediation
Customers using the Vault Cassandra integrations should evaluate the risk associated with this issue, and consider upgrading to Vault Enterprise 1.6.4 / 1.7.1 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by Martin Sucha who reported it to HashiCorp.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.