Vault - 1.10.7

September 30, 2022

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).

FEATURES:

• transform (enterprise): MySQL databases can now be used as external stores for tokenization
• transform (enterprise): Support key rotation for tokenization transformations
• transform (enterprise): Add snapshot and restore functionality to tokenization
• Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS. [GH-2158]
• Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces. [GH-2213]
• Transform Secrets Engine (Enterprise): New features for advanced encoding and decoding in format preserving encryption.
• storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters

IMPROVEMENTS:

• transform (enterprise): Improve FPE transformation performance
• transform (enterprise): Use transactions with batch tokenization operations for improved performance
• command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
• core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary.  Also allow DR secondaries to serve metrics requests when using unauthenticated_metrics_access. [GH-1844]
• core: Bump Go version in enterprise to 1.17.7.
• http (enterprise): Serve /sys/license/status endpoint within namespaces
• replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of outstanding dirty pages that were not flushed. [GH-2093]
• replication: Delay evaluation of X-Vault-Index headers until merkle sync completes. [GH-1814]
• sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
• transform (enterprise): Add a reference field to batch items, and propogate it to the response

BUG FIXES:

• Fixed panic when adding or modifying a Duo MFA Method in Enterprise
• agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
• auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
• core (enterprise): Allow deletion of stored licenses on DR secondary nodes
• core (enterprise): Allow local alias create RPCs to persist alias metadata [GH-changelog:_2747]
• core (enterprise): Fix a data race in logshipper.
• core (enterprise): Fix data race during perf standby sealing
• core (enterprise): Fix overcounting of lease count quota usage at startup.
• core (enterprise): Fix some races in merkle index flushing code found in testing
• core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
• core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
• core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
• core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
• core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
• core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
• core: initialized unlicensed raft nodes were starting instead of failing with an error. [GH-1989]
• ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
• http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
• identity/oidc: Adds claims_supported to discovery document. [GH-16992]
• kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
• kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
• kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
• kmip (enterprise): Forward KMIP register operations to the active node
• license: ignore stored terminated license while autoloading is enabled [GH-2104]
• licensing (enterprise): Revert accidental inclusion of the TDE feature from the prem build.
• metrics/autosnapshots (enterprise) : Fix bug that could cause vault.autosnapshots.save.errors to not be incremented when there is an autosnapshot save error.
• raft (enterprise): Fix panic when updating auto-snapshot config
• replication (enterprise): Fix data race in SaveCheckpoint()
• replication (enterprise): Fix issue where merkle.flushDirty.num_pages metric is not emitted if number of dirty pages is 0. [GH-2093]
• replication (enterprise): Fix merkle.saveCheckpoint.num_dirty metric to accurately specify the number  of dirty pages in the merkle tree at time of checkpoint creation. [GH-2093]
• replication (enterprise): When using encrypted secondary tokens, only clear the private key after a successful connection to the primary cluster
• replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
• replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
• secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
• secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
• secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
• storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
• storage/raft (enterprise): Ensure that raft autosnapshot backoff retry duration never hits 0s
• transform (enterprise): Enforce minimum cache size for Transform backend and reset cache size without a restart
• transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
• transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
• transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
• ui: Fix lease force revoke action [GH-16930]