Bulletin ID: HCSEC-2024-18
Affected Products / Versions:
Vault Enterprise Edition 1.16.7 to 1.16.8; fixed in Vault Enterprise Edition 1.16.9.
Vault Community Edition and Vault Enterprise Edition 1.17.3 to 1.17.4; fixed in Vault Community Edition and Vault Enterprise Edition 1.17.5.
Publication Date: August 30, 2024
Summary
Vault Community Edition and Vault Enterprise experienced a regression where functionality that HMAC’d sensitive headers in the configured audit device, specifically client tokens and token accessors, was removed. This resulted in the plaintext values of client tokens and token accessors being stored in the audit log. This vulnerability, CVE-2024-8365, was fixed in Vault Community Edition and Vault Enterprise 1.17.5 and Vault Enterprise 1.16.9.
Background
Audit devices, or logs, are the components in Vault that collectively keep a detailed log of all requests to Vault, and their responses. Because every operation with Vault is an API request/response, when using a single audit device, the audit log contains every interaction with the Vault API, including errors (except for a few paths which do not go via the audit system).
Details
Every interaction is logged to the audit device, including requests where Vault tokens, client tokens, or other sensitive information is present. Vault will display an HMAC of the sensitive values when they are stored in the audit device. In the affected versions of Vault, a regression removed the functionality that performed the hashing of sensitive values, thus the plaintext value was stored in the audit device.
Remediation
Customers should update Vault to a fixed version and then review the logs in their audit devices and rotate any affected credentials identified.
Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.