Vault - 1.10.7
Security
September 30, 2022
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).
FEATURES:
- transform (enterprise): MySQL databases can now be used as external stores for tokenization
- transform (enterprise): Support key rotation for tokenization transformations
- transform (enterprise): Add snapshot and restore functionality to tokenization
- Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS. [GH-2158]
- Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces. [GH-2213]
- Transform Secrets Engine (Enterprise): New features for advanced encoding and decoding in format preserving encryption.
- storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
IMPROVEMENTS:
- transform (enterprise): Improve FPE transformation performance
- transform (enterprise): Use transactions with batch tokenization operations for improved performance
- command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
- core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. Also allow DR secondaries to serve metrics requests when using unauthenticated_metrics_access. [GH-1844]
- core: Bump Go version in enterprise to 1.17.7.
- http (enterprise): Serve /sys/license/status endpoint within namespaces
- replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of outstanding dirty pages that were not flushed. [GH-2093]
- replication: Delay evaluation of X-Vault-Index headers until merkle sync completes. [GH-1814]
- sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
- transform (enterprise): Add a
reference
field to batch items, and propogate it to the response
BUG FIXES:
- Fixed panic when adding or modifying a Duo MFA Method in Enterprise
- agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
- auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
- core (enterprise): Allow deletion of stored licenses on DR secondary nodes
- core (enterprise): Allow local alias create RPCs to persist alias metadata [GH-changelog:_2747]
- core (enterprise): Fix a data race in logshipper.
- core (enterprise): Fix data race during perf standby sealing
- core (enterprise): Fix overcounting of lease count quota usage at startup.
- core (enterprise): Fix some races in merkle index flushing code found in testing
- core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
- core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
- core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
- core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
- core: initialized unlicensed raft nodes were starting instead of failing with an error. [GH-1989]
- ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
- http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
- identity/oidc: Adds
claims_supported
to discovery document. [GH-16992] - kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
- kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
- kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
- kmip (enterprise): Forward KMIP register operations to the active node
- license: ignore stored terminated license while autoloading is enabled [GH-2104]
- licensing (enterprise): Revert accidental inclusion of the TDE feature from the
prem
build. - metrics/autosnapshots (enterprise) : Fix bug that could cause vault.autosnapshots.save.errors to not be incremented when there is an autosnapshot save error.
- raft (enterprise): Fix panic when updating auto-snapshot config
- replication (enterprise): Fix data race in SaveCheckpoint()
- replication (enterprise): Fix issue where merkle.flushDirty.num_pages metric is not emitted if number of dirty pages is 0. [GH-2093]
- replication (enterprise): Fix merkle.saveCheckpoint.num_dirty metric to accurately specify the number of dirty pages in the merkle tree at time of checkpoint creation. [GH-2093]
- replication (enterprise): When using encrypted secondary tokens, only clear the private key after a successful connection to the primary cluster
- replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
- replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
- secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
- storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
- storage/raft (enterprise): Ensure that raft autosnapshot backoff retry duration never hits 0s
- transform (enterprise): Enforce minimum cache size for Transform backend and reset cache size without a restart
- transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
- transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
- transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
- ui: Fix lease force revoke action [GH-16930]
Security
Details
date
Sept. 30, 2022, midnight
name
1.10.7
type
Patch
👇
Register or login to:
- 🔍View and search all Vault releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!