HCSEC-2022-24 - Vault's TLS Cert Auth Method Only Loaded CRL After First Request

Bulletin ID: HCSEC-2022-24
Affected Products / Versions: Vault and Vault Enterprise up to 1.11.3; fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
Publication Date: October 11, 2022

Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10.

Vault allows the configuration of Certificate Revocation Lists (CRLs) for Vault’s certificate authentication method, which is checked when users login using TLS certificates. The Vault TLS certificate auth method will verify the presented certificate to ensure it does not appear on any configured CRLs to ensure the certificate has not been revoked.

As a general rule, we recommend keeping short TTLs to mitigate the operational complexities of certificate and credential revocation.

It was discovered that the CRL used by Vault’s certificate authentication method was not being loaded on startup, and required a request to the CRL endpoint to populate the data structure containing the CRL entries. In multi-cluster deployments, this behavior also occurs on invalidation due to a write from another cluster.

As a result, when using TLS certificate authentication, Vault did not correctly perform CRL revocation checks if login occurred between Vault startup (or invalidation) and a manual retrieval of the CRL.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.12.0, 1.11.4, 1.10.7, and 1.9.10, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.