HCSEC-2024-10 - Vault Enterprise Leaks Sensitive HTTP Request Headers in Audit Log When Deployed With a Performance Standby Node

Bulletin ID: HCSEC-2024-10
Affected Products / Versions: Vault Enterprise, versions 1.15.0 through 1.15.7; fixed in 1.15.8.
Publication Date: April 30, 2024

Vault Enterprise, when configured with both performance standby nodes and an audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request header information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.

In Vault Enterprise, customers have the ability to deploy Vault in a highly available mode that delegates the reads and writes to other nodes in the Vault cluster. Performance standby nodes can handle most read-only requests and are designed to provide horizontal scalability of a single Vault cluster.

When a Vault cluster is configured with performance standby nodes and a configured audit device, an audit log is created for each node and will record every operation that the node does. By default, sensitive information is HMAC’d by default and information related to HTTP requests is not included.

A bug that only affected performance standby nodes resulted in raw HTTP request headers being included in the audit log. A majority of Vault HTTP communicates are authenticated, thus will include a Vault token in the HTTP headers for authentication. In turn, this Vault token used for authentication is presented in cleartext in the audit log of the performance standby node, which an attacker who has access to the audit log may view it and use it for further attacks on the Vault cluster.

Customers utilizing performance standby nodes with the affected versions of Vault Enterprise should review their audit logs on the standby nodes for any possible leakage of Vault API tokens in request headers. and then plan an upgrade to Vault Enterprise 1.15.8. After upgrading, it is recommended to rotate the affected Vault API tokens.

Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

A workaround exists for customers unable to upgrade to disable the misconfigured audit behavior by setting the VAULT_AUDIT_DISABLE_EVENTLOGGER environment variable to true and restarting the Vault cluster.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.