Summary
Vault and Vault Enterprise (“Vault”) is vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash. This vulnerability, CVE-2023-6337, is fixed in Vault 1.15.4, 1.14.8, 1.13.12.
Background
Vault’s server exposes HTTP API endpoints. The Vault HTTP API gives you full access to Vault using REST like HTTP verbs. The Vault CLI and WebUI use the HTTP API to access Vault similar to all other consumers.
Details
An excessive memory consumption issue was introduced in 1.12.0, where inbound HTTP requests are processed as part of function to determine if a rate limit quota has been reached for certain auth methods. This operation is done before limits and quotas have been applied to the request.
This function will process every HTTP request sent to Vault to try and determine whether to apply a rate limit, as part of this processing, the request is copied to memory with no bound checks or limits. A large request, which is then copied to memory, may consume the available memory of the host until out-of-memory processes are triggered by the operating system, which may cause Vault to crash and not recover automatically.
This issue may also be triggered by legitimate Vault usage that involves large requests, such as restoring large snapshots.
Affected Products / Versions:
Vault and Vault Enterprise since 1.12.0.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.15.4, 1.14.8, 1.13.12, or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.