HCSEC-2021-33 - Vault’s KV Secrets Engine With Integrated Storage Exposed to Authenticated Denial of Service

Bulletin ID: HCSEC-2021-33
Affected Products / Versions: Vault and Vault Enterprise 1.4.0 through 1.7.6, 1.8.5 and 1.9.0; fixed in 1.7.7, 1.8.6, 1.9.1.
Publication Date: December 13, 2021

It was reported that for Vault and Vault Enterprise (“Vault”) clusters using the Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.

Vault’s Raft-based Integrated Storage was introduced in Vault and Vault Enterprise 1.4.0 and provides a highly available storage backend for Vault. The database is replicated and stored encrypted on all Vault cluster nodes.

Vault’s KV (key-value) secrets engine is used to store arbitrary secrets within the configured storage backend for Vault.

An external party reported that KV secret engine key sizes greater than 32KB will cause Integrated Storage’s underlying Raft storage cluster to fail. Because this change is first persisted to the Raft log, it caused Vault to panic when applying these changes, and continue to panic after restarts.

Vault will now correctly check key sizes for the KV secrets engine based on the maximum size supported by the underlying database prior to persisting them to the Raft log.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.7.7, 1.8.6, or 1.9.1. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was disclosed publicly via a GitHub issue. If you would like to report a vulnerability in one of our products or services, or have security concerns regarding HashiCorp software or systems, please email security@hashicorp.com.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.