Summary Vault and Vault Enterprise (“Vault”) inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. Background Policies 1 provide a declarative way to define what can and cannot be accessed in Vault, and are used to authorize inbound client requests as described in Vault’s architecture documentation 1. Details An excessive memory consumption issue was introduced in Vault 1.15.0, 1.14.3, and 1.13.7 where inbound client requests triggering a policy check create a logger that is never removed from memory. The side effect of this issue is an unbounded consumption of memory until out-of-memory processes are triggered by the operating system. Since the issue occurs on requests the memory growth is proportional to the volume of requests, and may result in denial-of-service. Operators may have experienced increased memory usage after upgrading Vault to one of the affected versions above. This excessive memory consumption is more prevalent in Vault Enterprise.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2024:3718 https://access.redhat.com/errata/RHSA-2024:3718