HCSEC-2023-33 - Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption

Bulletin ID: HCSEC-2023-33
Affected Products / Versions: Vault and Vault Enterprise since 1.15.0, 1.14.3, 1.13.7, fixed in 1.15.2, 1.14.6, 1.13.10.
Publication Date: November 9, 2023

Vault and Vault Enterprise (“Vault”) inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, is fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Policies provide a declarative way to define what can and cannot be accessed in Vault, and are used to authorize inbound client requests as described in Vault’s architecture documentation.

An excessive memory consumption issue was introduced in Vault 1.15.0, 1.14.3, and 1.13.7 where inbound client requests triggering a policy check create a logger that is never removed from memory.

The side effect of this issue is an unbounded consumption of memory until out-of-memory processes are triggered by the operating system. Since the issue occurs on requests the memory growth is proportional to the volume of requests, and may result in denial-of-service.

Operators may have experienced increased memory usage after upgrading Vault to one of the affected versions above. This excessive memory consumption is more prevalent in Vault Enterprise.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.15.2, 1.14.6, 1.13.10, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.