Bug 2034914 (CVE-2021-45042) - CVE-2021-45042 vault: clusters using the integrated storage backend allowed an authenticated user to cause a DoS of the storage backend
Summary: CVE-2021-45042 vault: clusters using the integrated storage backend allowed a...
Keywords:
Status: NEW
Alias: CVE-2021-45042
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2034915
TreeView+ depends on / blocked
 
Reported: 2021-12-22 13:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-10-25 17:21 UTC (History)
19 users (show)

Fixed In Version: vault 1.7.7, vault 1.8.6, vault 1.9.1
Doc Type: If docs needed, set a value
Doc Text:
A denial of service attack was discovered against vault. For clusters using the Integrated Storage (Raft) backend, an authenticated user with write permissions to the KV secrets engine can cause a panic leading to a denial of service of the storage backend, by supplying a key larger than 32KB.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-22 13:36:55 UTC 
In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.

Reference:
https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157
Comment 2 Hardik Vyas 2021-12-28 14:06:10 UTC 
Upstream fix: https://github.com/hashicorp/vault/commit/859cf45d05b40b2cd13f8696acc68a3754402ffc
Note You need to log in before you can comment on or make changes to this bug.