Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768312 (CVE-2020-25594, CVE-2021-27668, CVE-2021-3024, CVE-2021-3282)

Summary: <app-admin/vault-{1.5.7,1.6.3}: multiple vulnerabilities (CVE-2020-25594, CVE-2021-{3024,3282,27668})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 797244    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-02 04:26:33 UTC
CVE-2020-25594 (https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336):

HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

CVE-2021-3024 (https://discuss.hashicorp.com/t/hcsec-2021-02-vault-api-endpoint-exposed-internal-ip-address-without-authentication/20334):

HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.

CVE-2021-3282 (https://discuss.hashicorp.com/t/hcsec-2021-04-vault-enterprise-s-dr-secondaries-allowed-raft-peer-removal-without-authentication/20337):

HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` raft operator command to be executed against DR secondaries without authentication. Fixed in 1.6.2.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-26 01:16:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62f5d7318ff141bbff793f734b157d9ec325560b

commit 62f5d7318ff141bbff793f734b157d9ec325560b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-02-26 01:12:46 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-02-26 01:16:12 +0000

    app-admin/vault: Bump to version 1.6.3
    
    Bug: https://bugs.gentoo.org/768312
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.6.3.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80562755d126ae8b3b59be7e12aea5f9a213e548

commit 80562755d126ae8b3b59be7e12aea5f9a213e548
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-02-26 01:07:31 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-02-26 01:16:12 +0000

    app-admin/vault: Bump to version 1.5.7
    
    Bug: https://bugs.gentoo.org/768312
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |  2 +
 app-admin/vault/vault-1.5.7.ebuild | 78 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)
Comment 2 Zac Medico gentoo-dev 2021-02-26 01:21:37 UTC
1.6.3 has this:

https://discuss.hashicorp.com/t/hcsec-2021-05-vault-enterprise-s-dr-secondaries-exposed-license-metadata-without-authentication/21427

Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated
reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is
fixed in 1.6.3 (CVE-2021-27668).
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-21 00:45:23 UTC
Well, not sure how I missed this, but now we've got another Vault security bug we can handle this with.
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:14 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:32:40 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:40:34 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:48:44 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:04:40 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:12:58 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2022-08-01 18:07:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-01 18:09:00 UTC
GLSA released, all done!