Vault - 1.11.4

Security

September 30, 2022

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).

CHANGES:

  • licensing (enterprise): Remove support for stored licenses and associated sys/license and sys/license/signed endpoints in favor of autoloaded licenses.
  • replication (enterprise): The /sys/replication/performance/primary/mount-filter endpoint has been removed. Please use Paths Filter instead.

FEATURES:

  • transform (enterprise): MySQL databases can now be used as external stores for tokenization
  • transform (enterprise): Support key rotation for tokenization transformations
  • transform (enterprise): Add snapshot and restore functionality to tokenization
  • Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
  • Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS. [GH-2158]
  • Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces. [GH-2213]
  • Transform Secrets Engine (Enterprise): New features for advanced encoding and decoding in format preserving encryption.
  • kmip (enterprise): Return SecretData as supported Object Type.
  • storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters

IMPROVEMENTS:

  • transform (enterprise): Improve FPE transformation performance
  • transform (enterprise): Use transactions with batch tokenization operations for improved performance
  • :core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
  • agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
  • agent: Send notifications to systemd on start and stop. [GH-9802]
  • command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
  • core (enterprise): Include termination_time in sys/license/status response
  • core (enterprise): Include termination time in license inspect command output
  • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary.  Also allow DR secondaries to serve metrics requests when using unauthenticated_metrics_access. [GH-1844]
  • core: Bump Go version in enterprise to 1.17.7.
  • http (enterprise): Serve /sys/license/status endpoint within namespaces
  • kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
  • replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of
    outstanding dirty pages that were not flushed. [GH-2093]
  • replication: Delay evaluation of X-Vault-Index headers until merkle sync completes. [GH-1814]
  • sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
  • transform (enterprise): Add a reference field to batch items, and propogate it to the response

BUG FIXES:

  • Fixed panic when adding or modifying a Duo MFA Method in Enterprise
  • agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
  • auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
  • auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17162]
  • auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
  • core (enterprise): Allow deletion of stored licenses on DR secondary nodes
  • core (enterprise): Allow local alias create RPCs to persist alias metadata
  • core (enterprise): Fix a data race in logshipper.
  • core (enterprise): Fix data race during perf standby sealing
  • core (enterprise): Fix overcounting of lease count quota usage at startup.
  • core (enterprise): Fix some races in merkle index flushing code found in testing
  • core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
  • core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
  • core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
  • core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
  • core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
  • core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
  • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
  • core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
  • core: initialized unlicensed raft nodes were starting instead of failing with an error. [GH-1989]
  • ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
  • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
  • identity/oidc: Adds claims_supported to discovery document. [GH-16992]
  • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
  • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
  • kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
  • kmip (enterprise): Forward KMIP register operations to the active node
  • license: ignore stored terminated license while autoloading is enabled [GH-2104]
  • licensing (enterprise): Revert accidental inclusion of the TDE feature from the prem build.
  • raft (enterprise): Fix panic when updating auto-snapshot config
  • replication (enterprise): Fix data race in SaveCheckpoint()
  • replication (enterprise): Fix issue where merkle.flushDirty.num_pages metric is not emitted if number
    of dirty pages is 0. [GH-2093]
  • replication (enterprise): Fix merkle.saveCheckpoint.num_dirty metric to accurately specify the number of dirty pages in the merkle tree at time of checkpoint creation. [GH-2093]
  • replication (enterprise): When using encrypted secondary tokens, only clear the private key after a successful connection to the primary cluster
  • replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
  • replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
  • secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
  • secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
  • secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
  • storage/raft (enterprise):  Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type.  Strip leading prefix in path prefix for AWS.  Improve error handling/reporting.
  • storage/raft (enterprise): Ensure that raft autosnapshot backoff retry duration never hits 0s
  • storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
  • transform (enterprise): Enforce minimum cache size for Transform backend and reset cache size without a restart
  • transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
  • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
  • ui: Fix lease force revoke action [GH-16930]
  • ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]

Details

date
Sept. 30, 2022, midnight
name
1.11.4
type
Patch
👇
Register or login to:
  • 🔍View and search all Vault releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or