Bulletin ID: HCSEC-2021-11
Affected Products / Versions: Terraform’s Vault Provider (terraform-provider-vault); fixed in 2.19.1.
Publication Date: April 21, 2021
Summary
Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. This vulnerability, CVE-2021-30476, was fixed in terraform-provider-vault 2.19.1.
Background
Terraform’s Vault Provider (https://registry.terraform.io/providers/hashicorp/vault, GitHub - hashicorp/terraform-provider-vault: Terraform Vault provider) allows Terraform to read from, write to, and configure Vault.
The provider defines a vault_gcp_auth_backend_role resource that may be used to configure Vault’s gcp auth method. For roles of type “gce”, the provider supports a bound_labels argument which correlates to Vault’s bound_labels parameter accepted at role creation time.
Details
Within the provider, the bound_labels argument was being incorrectly mapped from Terraform configuration to the Vault API endpoint for role creation. As a result, bound labels that were defined in Terraform configuration were silently ignored and were not applied to the Vault GCP auth configuration.
Remediation
Customers should review their usage of Terraform’s Vault Provider (specifically any usage of the vault_gcp_auth_backend_role resource and bound_labels argument), evaluate the risk associated with this issue, and consider upgrading to terraform-provider-vault 2.19.1 or newer.
Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.