Bug 920177 (CVE-2023-6337, HCSEC-2023-34)

Summary:	<app-admin/vault-1.14.8: denial of service via large HTTP requests
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	minor	CC:	zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741
Whiteboard:	B3 [stable?]
Package list:		Runtime testing required:	---
Bug Depends on:	918420
Bug Blocks:

Description John Helmert III archtester

2023-12-16 23:38:30 UTC

CVE-2023-6337:

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.


Please bump (and ideally stabilize for bug 9184120 too).

Comment 1 Larry the Git Cow gentoo-dev

2023-12-18 04:46:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1ee3a0737d807e5704a5f5455118bfe48af1f87

commit f1ee3a0737d807e5704a5f5455118bfe48af1f87
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2023-12-18 04:45:10 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2023-12-18 04:46:14 +0000

    app-admin/vault: add 1.14.8
    
    Bug: https://bugs.gentoo.org/920177
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-admin/vault/Manifest            |  2 +
 app-admin/vault/vault-1.14.8.ebuild | 86 +++++++++++++++++++++++++++++++++++++
 2 files changed, 88 insertions(+)