Bug 827945 (CVE-2021-43998)

Summary:	<app-admin/vault-1.8.5: incorrect policy enforcement (CVE-2021-43998)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.hashicorp.com/t/hcsec-2021-30-vaults-templated-acl-policies-matched-first-created-alias-per-entity-and-auth-backend/32132
Whiteboard:	B4 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-12-01 16:33:19 UTC

CVE-2021-43998:

HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8.4 templated ACL policies would always match the first-created entity alias if multiple entity aliases exist for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. Fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.


Please stabilize 1.8.5.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-02 04:18:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a595c06ccdebc965f7776ab1163956006811d21

commit 9a595c06ccdebc965f7776ab1163956006811d21
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-02 04:16:09 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-02 04:18:17 +0000

    app-admin/vault: Remove vulnerable 1.8.4
    
    Bug: https://bugs.gentoo.org/827945
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |    6 -
 app-admin/vault/vault-1.8.4.ebuild | 1837 ------------------------------------
 2 files changed, 1843 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b97db335bac80857a566aaf00cdc7c446873b5e5

commit b97db335bac80857a566aaf00cdc7c446873b5e5
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-02 04:15:06 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-02 04:18:16 +0000

    app-admin/vault: stabilize 1.8.5
    
    Bug: https://bugs.gentoo.org/827945
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.8.5.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2021-12-02 16:00:10 UTC

Thanks Zac!

Comment 3 Larry the Git Cow gentoo-dev

2022-08-01 18:07:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

Comment 4 John Helmert III archtester

2022-08-01 18:09:02 UTC

GLSA released, all done!