Bug 2182981 (CVE-2023-0665)

Summary: CVE-2023-0665 hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, dfreiber, jburrell, jcantril, mrajanna, muagarwa, nbecker, ocs-bugs, periklis, rogbas, tnielsen, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vault 1.13.1, vault 1.12.5, vault 1.11.9 Doc Type: ---
Doc Text:
A flaw was found in the Hashicorp vault. Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in a denial of service of the PKI mount. This bug did not affect public or private key material, trust chains, or certificate issuance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-18 04:47:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2182982, 2182983, 2182984, 2182985, 2182986, 2182987, 2182988    
Bug Blocks: 2182965    

Description Avinash Hanwate 2023-03-30 06:41:48 UTC 
HashiCorp Vault's PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

https://discuss.hashicorp.com/t/hcsec-2023-11-vault-s-pki-issuer-endpoint-did-not-correctly-authorize-access-to-issuer-metadata/52079/1
Comment 4 errata-xmlrpc 2023-05-17 22:31:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 5 Product Security DevOps Team 2023-05-18 04:47:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0665
Comment 6 errata-xmlrpc 2023-06-22 19:52:29 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 7 errata-xmlrpc 2023-10-31 12:54:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006