Bug 829493 (CVE-2021-45042)

Summary:	<app-admin/vault-{1.8.6,1.9.1}: authenticated DoS (CVE-2021-45042)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.hashicorp.com/t/hcsec2-21-33-vault-s-kv-secrets-engine-with-integrated-storage-exposed-to-authenticated-denial-of-service/33157
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-12-17 18:00:40 UTC

CVE-2021-45042:

In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x before 1.8.6, and 1.9.x before 1.9.1, clusters using the Integrated Storage backend allowed an authenticated user (with write permissions to a kv secrets engine) to cause a panic and denial of service of the storage backend. The earliest affected version is 1.4.0.


Please stabilize 1.8.6.

Comment 1 Larry the Git Cow gentoo-dev

2021-12-18 21:18:29 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49e506f623779fe9bb8b1b5580a2a696dc935a47

commit 49e506f623779fe9bb8b1b5580a2a696dc935a47
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-18 21:15:29 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-18 21:18:20 +0000

    app-admin/vault: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/829493
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest           |    7 -
 app-admin/vault/vault-1.8.5.ebuild | 1837 ----------------------------------
 app-admin/vault/vault-1.9.0.ebuild | 1898 ------------------------------------
 3 files changed, 3742 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e6ed71b6f62c3be3f384486c417a855e907d8d5

commit 2e6ed71b6f62c3be3f384486c417a855e907d8d5
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-12-18 21:13:48 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-12-18 21:18:19 +0000

    app-admin/vault: stabilize 1.8.6 for amd64
    
    Bug: https://bugs.gentoo.org/829493
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/vault-1.8.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 John Helmert III archtester

2021-12-19 00:14:49 UTC

Thank you!

Comment 3 Larry the Git Cow gentoo-dev

2022-08-01 18:07:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=254c716d0dd35a6846f281fd4a3eaf970dc0bede

commit 254c716d0dd35a6846f281fd4a3eaf970dc0bede
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-07-29 21:22:59 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-01 18:05:08 +0000

    [ GLSA-202207-01 ] HashiCorp Vault: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/768312
    Bug: https://bugs.gentoo.org/797244
    Bug: https://bugs.gentoo.org/808093
    Bug: https://bugs.gentoo.org/817269
    Bug: https://bugs.gentoo.org/827945
    Bug: https://bugs.gentoo.org/829493
    Bug: https://bugs.gentoo.org/835070
    Bug: https://bugs.gentoo.org/845405
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202207-01.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

Comment 4 John Helmert III archtester

2022-08-01 18:09:02 UTC

GLSA released, all done!