HCSEC-2022-12 - Vault’s Login MFA Configuration And Enforcement Not Reloaded After Restart

Bulletin ID: HCSEC-2022-12
Affected Products / Versions: Vault and Vault Enterprise from 1.10.0 through 1.10.2; fixed in 1.10.3.
Publication Date: May 16, 2022

A vulnerability was identified in Vault and Vault Enterprise (“Vault”) from 1.10.0 to 1.10.2 where MFA may not be enforced on user logins after a server restart. This vulnerability, CVE-2022-30689, was fixed in Vault 1.10.3.

Vault provides a wide range authentication methods, including a recently introduced Login MFA feature which allows the use of TOTP passcodes or third party services (Duo, Okta, PingID) as second factors for user authentication on login. Vault also offers Enterprise MFA, which provides path-based enforcement of MFA in policies.

An external party reported that the configuration and enforcement of the Login MFA feature was not being loaded after a Vault restart.

This vulnerability affects the Login MFA feature introduced in Vault and Vault Enterprise 1.10.0, but does not affect any of Vault’s Enterprise MFA features.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.10.3, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.