HCSEC-2022-08 - Vault Enterprise’s Tokenization Transform Configuration Endpoint May Expose Transform Key

Bulletin ID: HCSEC-2022-08
Affected Products / Versions: Vault Enterprise 1.7.0 through 1.7.9, 1.8.8, and 1.9.3.
Publication Date: March 4, 2022

Vault Enterprise (“Vault”) clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise 1.7.10, 1.8.9, and 1.9.4.

Vault’s tokenization transform protects sensitive values making them irreversible from a token alone. To decode the original value, the token must be submitted to Vault where it is retrieved from a cryptographic mapping in storage. Tokenization is stateful, requiring at least both the tokenization state and the transform key to decode the original value.

During ongoing Vault development, it was observed that the tokenization key configuration endpoint incorrectly included the base64-encoded key as part of a requested key configuration.

Exposure to key disclosure and subsequent tokenization reversal is mitigated as follows:

  • The endpoint in question is authenticated, with read permissions generally reserved for Vault operators and unneeded for tokenization transform usage on a day-to-day basis.
  • Knowledge of the transform key alone is insufficient to reverse the tokenization. An adversary would also need tokenization state values (stored either in Vault’s backend storage or external RDBMS) as well as end-user-device tokens (if the default, non-exportable tokenization mode is used) to reverse the tokenization process.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.7.10, 1.8.9, 1.9.4, or newer. Operators may also opt to rotate the tokenization key, if they believe it was exposed. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.