HCSEC-2024-11 - Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims

Bulletin ID: HCSEC-2024-11
Affected Products / Versions: Vault and Vault Enterprise 0.11.0 up to 1.16.2; fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, 1.15.9.
Publication Date: June 12, 2024

Summary
Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT with audience and role-bound claims that do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

Background
The JWT auth method can be used to authenticate with Vault using OIDC or by providing a JWT. More information on the JWT auth method can be found at JWT/OIDC - Auth Methods | Vault | HashiCorp Developer.

Details
A bug existed in the JWT auth method where Vault would only apply the validation logic if the audience claim was a single string. This bug was an implementation error of RFC 7518, where the audience claim can be a single string or set of strings.

When Vault encountered an audience claim as a list of strings, it would skip the validation logic meant to check the existence of role bound audience claims against the audience claims. As a result, Vault would continue with other JWT validations and if successful, the JWT payload provided would be verified and may be used to log in to an underlying system.

Remediation
Customers using the JWT auth method configured in their Vault installation should evaluate the risk associated with this issue and consider upgrading to Vault 1.17.0, 1.16.3, 1.15.9 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

Upgrading Vault to the fixed versions also may break existing JWT auth method deployments. Please refer to the 1.17.x upgrade guide for more information.

Acknowledgement
This issue was identified by Kacper StysiƄski and Alex Scheel.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.