Bulletin ID: HCSEC-2023-34
Affected Products / Versions: Vault and Vault Enterprise since 1.12.0, fixed in 1.15.4, 1.14.8, 1.13.12.
Publication Date: December 8, 2023
Summary
Vault and Vault Enterprise (“Vault”) is vulnerable to denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. This vulnerability, CVE-2023-6337, is fixed in Vault 1.15.4, 1.14.8, 1.13.12.
Background
Vault’s server exposes HTTP API endpoints, which provide full access to Vault using REST-like HTTP verbs. The Vault CLI and web UI use the HTTP API to access Vault, similar to all other consumers.
Details
An excessive memory consumption issue was introduced in 1.12.0, where inbound HTTP requests are processed as part of function to determine if a rate limit quota has been reached for certain auth methods. This operation is done before limits and quotas have been applied to the request.
This function will process every HTTP request sent to Vault to try and determine whether to apply a rate limit. As part of this processing, the request is copied to memory with no bound checks or limits. A large request, when copied to memory, may consume the available memory of the host until out-of-memory processes are triggered by the operating system, which may cause Vault to crash and not recover automatically.
This issue may also be triggered by legitimate Vault usage that involves large requests, such as restoring large snapshots.
Remediation
Customers should evaluate the risk associated with this issue (exposure will depend on deployment-specific network architecture and associated security controls) and consider upgrading to Vault 1.15.4, 1.14.8, 1.13.12, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.