Bug 2249115 (CVE-2023-5954)

Summary: CVE-2023-5954 vault: inbound client requests can trigger a denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, dfreiber, drow, jburrell, madam, muagarwa, ocs-bugs, rogbas, sostapov, tnielsen, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Vault 1.15.2, Vault 1.14.6, Vault 1.13.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in The HashiCorp Vault, which may be susceptible to a denial of service due to an unbounded consumption of memory when handling policy requests. This issue may allow an attacker to trigger policy checks by sending multiple inbound client requests that create a logger that is never removed from memory, leading to excessive memory consumption, causing a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2249116, 2249117, 2249118, 2249119, 2249120, 2249121    
Bug Blocks: 2249113    

Description Robb Gatica 2023-11-10 19:09:31 UTC 
Summary
Vault and Vault Enterprise (“Vault”) inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, is fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Background
Policies 1 provide a declarative way to define what can and cannot be accessed in Vault, and are used to authorize inbound client requests as described in Vault’s architecture documentation 1.

Details
An excessive memory consumption issue was introduced in Vault 1.15.0, 1.14.3, and 1.13.7 where inbound client requests triggering a policy check create a logger that is never removed from memory.

The side effect of this issue is an unbounded consumption of memory until out-of-memory processes are triggered by the operating system. Since the issue occurs on requests the memory growth is proportional to the volume of requests, and may result in denial-of-service.

Operators may have experienced increased memory usage after upgrading Vault to one of the affected versions above. This excessive memory consumption is more prevalent in Vault Enterprise.
Comment 2 errata-xmlrpc 2024-10-01 17:30:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718