Option / Parameter to Hide versioning information

mmavrudiev · April 22, 2021, 6:28am

Hi,

Is there a way to hide the vault’s versioning information from all the possible “public” vault’s places, like the versioning information in the UI (at the bottom there is a banner like © 2021 HashiCorp Vault 1.4.0 Upgrade to Vault Enterprise Documentation) or from the API endpoints /v1/sys/health and /v1/sys/seal-status which also return a “version” key.

Impact
The disclosure of version or system information allows an attacker to conduct a selective search in vulnerability databases. The obtained information can then be used as a basis for attacks.
Recommendation
It is recommended not to disclose any information about the system or available services. Such information should be removed from banners.

Thanks a lot,

mikegreen · April 26, 2021, 2:01pm

Not a bad idea, however, usually you don’t want your Vault API open to the world.
If you require that, it might be useful to put a LB or proxy (ie, nginx) ahead of it to route certain things like health and certain paths only for authenticated (ie, bearer token or other org access) requests.

As for a change to allow this, you might get more on it with a GH issue.

Topic		Replies	Views
Get secret engine version via CLI Vault vault	4	1318	October 5, 2020
Vault annotation for accessing secret from specific version Vault k8s	0	533	October 23, 2020
HCSEC-2021-02 - Vault API Endpoint Exposed Internal IP Address Without Authentication Security security-vault	0	8054	January 29, 2021
(Please verify) - vault-k8s-configmap approach - Passing version information Vault	0	267	February 1, 2021
Vault missing in checkpoint api Vault	10	1326	April 2, 2022

Option / Parameter to Hide versioning information

Related topics