fix(deps): update module github.com/hashicorp/vault to v1.14.8 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/hashicorp/vault	require	patch	v1.14.1 -> v1.14.8

GitHub Vulnerability Alerts

CVE-2023-4680

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

CVE-2023-5954

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

CVE-2023-6337

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.14.8

Compare Source

1.14.8

SECURITY:

• core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. Upgrading is strongly recommended.(see CVE-2023-6337 & HCSEC-2023-34)

CHANGES:

• identity (enterprise): POST requests to the /identity/entity/merge endpoint are now always forwarded from standbys to the active node. [GH-24325]

BUG FIXES:

• agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [GH-24252]
• api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
• core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
• ui: Fix payload sent when disabling replication [GH-24292]

v1.14.7

Compare Source

1.14.7

November 30, 2023

CHANGES:

• core: Bump Go version to 1.20.11.

IMPROVEMENTS:

• core (enterprise): Speed up unseal when using namespaces
• secrets/pki: do not check TLS validity on ACME requests redirected to https [GH-22521]
• ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
• ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [GH-23700]

BUG FIXES:

• activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
• auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
• core/config: Use correct HCL config value when configuring log_requests_level. [GH-24058]
• core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
• replication (enterprise): disallow configuring paths filter for a mount path that does not exist
• secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
• secrets/transit: Fix a panic when attempting to export a public RSA key [GH-24054]
• ui: Fix error when tuning token auth configuration within namespace [GH-24147]

v1.14.6

Compare Source

1.14.6

November 09, 2023

SECURITY:

• core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]

CHANGES:

• auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
• secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]

FEATURES:

• cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]

IMPROVEMENTS:

• storage/etcd: etcd should only return keys when calling List() [GH-23872]

BUG FIXES:

• api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
  on the request. [GH-23861]
• core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
• core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
• core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
• core: Revert PR causing memory consumption bug [GH-23986]
• core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
• core: fix bug where deadlock detection was always on for expiration and quotas.
  These can now be configured individually with detect_deadlocks. [GH-23902]
• core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
• expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]

v1.14.5

Compare Source

1.14.5

October 25, 2023

CHANGES:

• core: Bump Go version to 1.20.10.
• replication (enterprise): Switch to non-deprecated gRPC field for resolver target host

IMPROVEMENTS:

• api/plugins: add tls-server-name arg for plugin registration [GH-23549]
• core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
• ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [GH-23747]
• website/docs: fix inaccuracies with unauthenticated_in_flight_requests_access parameter [GH-23287]

BUG FIXES:

• command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
• events: Ignore sending context to give more time for events to send [GH-23500]
• expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
• kmip (enterprise): Improve handling of failures due to storage replication issues.
• kmip (enterprise): Return a structure in the response for query function Query Server Information.
• mongo-db: allow non-admin database for root credential rotation [GH-23240]
• replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
• replication (enterprise): Fix a missing unlock when changing replication state
• secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [GH-23010]
• secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [GH-23278]
• secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
• secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
• secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
• secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
• storage/consul: fix a bug where an active node in a specific sort of network
  partition could continue to write data to Consul after a new leader is elected
  potentially causing data loss or corruption for keys with many concurrent
  writers. For Enterprise clusters this could cause corruption of the merkle trees
  leading to failure to complete merkle sync without a full re-index. [GH-23013]
• ui: Decode the connection url for display on the connection details page [GH-23695]
• ui: Fix AWS secret engine to allow empty policy_document field. [GH-23470]
• ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [GH-23331]
• ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [GH-23516]

v1.14.4

Compare Source

1.14.4

September 27, 2023

CHANGES:

• core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy

IMPROVEMENTS:

• ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [GH-23193]
• ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
• ui: Adds tidy_revoked_certs to PKI tidy status page [GH-23232]
• ui: Adds warning before downloading KV v2 secret values [GH-23260]

BUG FIXES:

• core: Fixes list password policy to include those with names containing / characters. [GH-23155]
• docs: fix wrong api path for ldap secrets cli-commands [GH-23225]
• secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
• ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
• ui: Fix the issue where confirm delete dropdown is being cut off [GH-23066]
• ui: Fixes filter and search bug in secrets engines [GH-23123]
• ui: don't exclude features present on license [GH-22855]

v1.14.3

Compare Source

1.14.3

September 13, 2023

SECURITY:

• secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]

CHANGES:

• core: Bump Go version to 1.20.8.

FEATURES:

• Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.

IMPROVEMENTS:

• auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
• core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
• kmip (enterprise): reduce latency of KMIP operation handling

BUG FIXES:

• cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to table. [GH-22818]
• core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
• core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
• core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
• core: All subloggers now reflect configured log level on reload. [GH-22038]
• kmip (enterprise): fix date handling error with some re-key operations
• raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
• replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
• secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
• ui: fixes long namespace names overflow in the sidebar

v1.14.2

Compare Source

August 30, 2023

CHANGES:

• auth/azure: Update plugin to v0.16.0 [GH-22277]
• core: Bump Go version to 1.20.7.
• database/snowflake: Update plugin to v0.9.0 [GH-22516]

IMPROVEMENTS:

• auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• kmip (enterprise): Add namespace lock and unlock support [GH-21925]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
• ui: enables create and update KV secret workflow when control group present [GH-22471]
• website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
• secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
• secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
• ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.14.8). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.