Bulletin ID: HCSEC-2023-34
Affected Products / Versions: Vault and Vault Enterprise since 1.12.0, fixed in 1.15.4, 1.14.8, 1.13.12.
Publication Date: December 8, 2023
Vault and Vault Enterprise (“Vault”) is vulnerable to denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. This vulnerability, CVE-2023-6337, is fixed in Vault 1.15.4, 1.14.8, 1.13.12.
Vault’s server exposes HTTP API endpoints, which provide full access to Vault using REST-like HTTP verbs. The Vault CLI and web UI use the HTTP API to access Vault, similar to all other consumers.
An excessive memory consumption issue was introduced in 1.12.0, where inbound HTTP requests are processed as part of function to determine if a rate limit quota has been reached for certain auth methods. This operation is done before limits and quotas have been applied to the request.
This function will process every HTTP request sent to Vault to try and determine whether to apply a rate limit. As part of this processing, the request is copied to memory with no bound checks or limits. A large request, when copied to memory, may consume the available memory of the host until out-of-memory processes are triggered by the operating system, which may cause Vault to crash and not recover automatically.
This issue may also be triggered by legitimate Vault usage that involves large requests, such as restoring large snapshots.
Customers should evaluate the risk associated with this issue (exposure will depend on deployment-specific network architecture and associated security controls) and consider upgrading to Vault 1.15.4, 1.14.8, 1.13.12, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.