Vault - 1.11.4
Security
September 30, 2022
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).
CHANGES:
- licensing (enterprise): Remove support for stored licenses and associated
sys/license
andsys/license/signed
endpoints in favor of autoloaded licenses. - replication (enterprise): The
/sys/replication/performance/primary/mount-filter
endpoint has been removed. Please use Paths Filter instead.
FEATURES:
- transform (enterprise): MySQL databases can now be used as external stores for tokenization
- transform (enterprise): Support key rotation for tokenization transformations
- transform (enterprise): Add snapshot and restore functionality to tokenization
- Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
- Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS. [GH-2158]
- Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces. [GH-2213]
- Transform Secrets Engine (Enterprise): New features for advanced encoding and decoding in format preserving encryption.
- kmip (enterprise): Return SecretData as supported Object Type.
- storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
IMPROVEMENTS:
- transform (enterprise): Improve FPE transformation performance
- transform (enterprise): Use transactions with batch tokenization operations for improved performance
- :core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
- agent/auto-auth: Add
exit_on_err
which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091] - agent: Send notifications to systemd on start and stop. [GH-9802]
- command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
- core (enterprise): Include
termination_time
insys/license/status
response - core (enterprise): Include termination time in
license inspect
command output - core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. Also allow DR secondaries to serve metrics requests when using unauthenticated_metrics_access. [GH-1844]
- core: Bump Go version in enterprise to 1.17.7.
- http (enterprise): Serve /sys/license/status endpoint within namespaces
- kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
- replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of
outstanding dirty pages that were not flushed. [GH-2093] - replication: Delay evaluation of X-Vault-Index headers until merkle sync completes. [GH-1814]
- sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
- transform (enterprise): Add a
reference
field to batch items, and propogate it to the response
BUG FIXES:
- Fixed panic when adding or modifying a Duo MFA Method in Enterprise
- agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
- auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
- auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17162]
- auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
- core (enterprise): Allow deletion of stored licenses on DR secondary nodes
- core (enterprise): Allow local alias create RPCs to persist alias metadata
- core (enterprise): Fix a data race in logshipper.
- core (enterprise): Fix data race during perf standby sealing
- core (enterprise): Fix overcounting of lease count quota usage at startup.
- core (enterprise): Fix some races in merkle index flushing code found in testing
- core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
- core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
- core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
- core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
- core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
- core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
- core: initialized unlicensed raft nodes were starting instead of failing with an error. [GH-1989]
- ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
- http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
- identity/oidc: Adds
claims_supported
to discovery document. [GH-16992] - kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
- kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
- kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
- kmip (enterprise): Forward KMIP register operations to the active node
- license: ignore stored terminated license while autoloading is enabled [GH-2104]
- licensing (enterprise): Revert accidental inclusion of the TDE feature from the
prem
build. - raft (enterprise): Fix panic when updating auto-snapshot config
- replication (enterprise): Fix data race in SaveCheckpoint()
- replication (enterprise): Fix issue where merkle.flushDirty.num_pages metric is not emitted if number
of dirty pages is 0. [GH-2093] - replication (enterprise): Fix merkle.saveCheckpoint.num_dirty metric to accurately specify the number of dirty pages in the merkle tree at time of checkpoint creation. [GH-2093]
- replication (enterprise): When using encrypted secondary tokens, only clear the private key after a successful connection to the primary cluster
- replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
- replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
- secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
- storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
- storage/raft (enterprise): Ensure that raft autosnapshot backoff retry duration never hits 0s
- storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
- transform (enterprise): Enforce minimum cache size for Transform backend and reset cache size without a restart
- transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
- transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
- ui: Fix lease force revoke action [GH-16930]
- ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
Security
Details
date
Sept. 30, 2022, midnight
name
1.11.4
type
Patch
👇
Register or login to:
- 🔍View and search all Vault releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!