Summary
Vault Community and Vault Enterprise (“Vault”) clusters using Vault’s Integrated Storage backend are vulnerable to a denial-of-service (DoS) attack through memory exhaustion through a Raft cluster join API endpoint . An attacker may send a large volume of requests to the endpoint which may cause Vault to consume excessive system memory resources, potentially leading to a crash of the underlying system and the Vault process itself.
This vulnerability, CVE-2024-8185, is fixed in Vault Community 1.18.1 and Vault Enterprise 1.18.1, 1.17.8, and 1.16.12.
Background
Vault’s Integrated Storage backend is used to persist Vault’s data. The backend uses a HashiCorp implementation of the Raft Consensus Algorithm to distribute the data to all joined nodes so that all nodes in a Vault cluster have a copy of the data. A highly available Vault deployment may consist of several nodes over several availability zones to protect against Vault data corruption and also can improve Vault’s performance.
Details
In a Vault deployment where Integrated Storage is used as the storage backend, additional nodes can be added to improve fault tolerance against data loss and availability failures. Additional nodes added through the storage "raft" {}
configuration will be automatically added to the Vault cluster if it is unsealed.
As part of the joining process to the Vault and Raft cluster, the joining node needs to complete a challenge using the seal key to successfully join. A part of this process requires Vault to perform a cryptographic operation for each request. Given enough requests which trigger cryptographic operations, Vault will continue to consume system resources until the host system is out of memory, potentially leading to a crash of the underlying system and Vault itself.
Affected Products / Versions:
Vault Community Edition from 1.2.0 up to 1.18.0
Vault Enterprise from 1.2.0 up to 1.18.0, 1.17.7, 1.16.11
Remediation
Customers should evaluate the risk associated with this issue (exposure will depend on deployment-specific network architecture and associated security controls) and consider upgrading to Vault Community 1.18.1 or Vault Enterprise 1.18.1, 1.17.8, and 1.16.12, or newer.
Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.