SECURITY:
- core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see CVE-2023-6337 & HCSEC-2023-34)
CHANGES:
- identity (enterprise): POST requests to the
/identity/entity/merge
endpoint are now always forwarded from standbys to the active node. [GH-24325]
BUG FIXES:
- agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [GH-24252]
- api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
- core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
- ui: Correctly handle directory redirects from pre 1.15.0 Kv v2 list view urls. [GH-24281]
- ui: Fix payload sent when disabling replication [GH-24292]
- ui: When Kv v2 secret is an object, fix so details view defaults to readOnly JSON editor. [GH-24290]
CHANGES:
- core: Bump Go version to 1.21.4.
IMPROVEMENTS:
- core (enterprise): Speed up unseal when using namespaces
- core: update sys/seal-status (and CLI vault status) to report the type of the seal when unsealed, as well as the type of the recovery seal if an auto-seal. [GH-23022]
- secrets/pki: do not check TLS validity on ACME requests redirected to https [GH-22521]
- ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
- ui: capabilities-self is always called in the user's root namespace [GH-24168]
BUG FIXES:
- activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
- auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
- core (Enterprise): Treat multiple disabled HA seals as a migration to Shamir.
- core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request. [GH-24238]
- core/config: Use correct HCL config value when configuring
log_requests_level
. [GH-24059] - core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
- core: Fix an error that resulted in the wrong seal type being returned by sys/seal-status while Vault is in seal migration mode. [GH-24165]
- replication (enterprise): disallow configuring paths filter for a mount path that does not exist
- secrets-sync (enterprise): Fix panic when setting usage_gauge_period to none
- secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
- secrets/transit: Fix a panic when attempting to export a public RSA key [GH-24054]
- ui: Fix JSON editor in KV V2 unable to handle pasted values [GH-24224]
- ui: Fix error when tuning token auth configuration within namespace [GH-24147]
- ui: show error from API when seal fails [GH-23921]
SECURITY:
- core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]
CHANGES:
- auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
- secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]
FEATURES:
- cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]
IMPROVEMENTS:
- api (enterprise): Enable the sys/license/features from any namespace
- storage/etcd: etcd should only return keys when calling List() [GH-23872]
- ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [GH-23700]
- ui: Update sidebar Secrets engine to title case. [GH-23964]
BUG FIXES:
- api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured on the request. [GH-23861]
- core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
- core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
- core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
- core: Revert PR causing memory consumption bug [GH-23986]
- core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
- core: fix bug where deadlock detection was always on for expiration and quotas.
These can now be configured individually with
detect_deadlocks
. [GH-23902] - core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
- expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]
- ui: fix broken GUI when accessing from listener with chroot_namespace defined [GH-23942]
CHANGES:
- core: Bump Go version to 1.21.3.
IMPROVEMENTS:
- api/plugins: add
tls-server-name
arg for plugin registration [GH-23549] - auto-auth/azure: Support setting the
authenticate_from_environment
variable to "true" and "false" string literals, too. [GH-22996] - secrets-sync (enterprise): Added telemetry on number of destinations and associations per type.
- ui: Adds a warning when whitespace is detected in a key of a KV secret [GH-23702]
- ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [GH-23747]
- ui: Surface warning banner if UI has stopped auto-refreshing token [GH-23143]
- ui: show banner when resultant-acl check fails due to permissions or wrong namespace. [GH-23503]
BUG FIXES:
- Seal HA (enterprise/beta): Fix rejection of a seal configuration change from two to one auto seal due to persistence of the previous seal type being "multiseal". [GH-23573]
- audit: Fix bug reopening 'file' audit devices on SIGHUP. [GH-23598]
- auth/aws: Fixes a panic that can occur in IAM-based login when a client config does not exist. [GH-23555]
- command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
- events: Ignore sending context to give more time for events to send [GH-23500]
- expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
- kmip (enterprise): Improve handling of failures due to storage replication issues.
- kmip (enterprise): Return a structure in the response for query function Query Server Information.
- mongo-db: allow non-admin database for root credential rotation [GH-23240]
- replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
- replication (enterprise): Fix a missing unlock when changing replication state
- secrets-sync (enterprise): Fixed issue where we could sync a deleted secret
- secrets/aws: update credential rotation deadline when static role rotation period is updated [GH-23528]
- secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [GH-23010]
- secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [GH-23278]
- secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
- secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
- secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
- secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
- storage/consul: fix a bug where an active node in a specific sort of network partition could continue to write data to Consul after a new leader is elected potentially causing data loss or corruption for keys with many concurrent writers. For Enterprise clusters this could cause corruption of the merkle trees leading to failure to complete merkle sync without a full re-index. [GH-23013]
- ui: Assumes version 1 for kv engines when options are null because no version is specified [GH-23585]
- ui: Decode the connection url for display on the connection details page [GH-23695]
- ui: Fix AWS secret engine to allow empty policy_document field. [GH-23470]
- ui: Fix bug where auth items were not listed when within a namespace. [GH-23446]
- ui: Fix regression that broke the oktaNumberChallenge on the ui. [GH-23565]
- ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [GH-23331]
- ui: Fixes issue where you could not share the list view URL from the KV v2 secrets engine. [GH-23620]
- ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [GH-23516]
- ui: Fixes issues displaying accurate TLS state in dashboard configuration details [GH-23726]
SECURITY:
- secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [GH-22852, HSEC-2023-28]
- sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8.[HSEC-2023-29]
CHANGES:
- auth/alicloud: Update plugin to v0.16.0 [GH-22646]
- auth/azure: Update plugin to v0.16.0 [GH-22277]
- auth/azure: Update plugin to v0.16.1 [GH-22795]
- auth/azure: Update plugin to v0.16.2 [GH-23060]
- auth/cf: Update plugin to v0.15.1 [GH-22758]
- auth/gcp: Update plugin to v0.16.1 [GH-22612]
- auth/jwt: Update plugin to v0.17.0 [GH-22678]
- auth/kerberos: Update plugin to v0.10.1 [GH-22797]
- auth/kubernetes: Update plugin to v0.17.0 [GH-22709]
- auth/kubernetes: Update plugin to v0.17.1 [GH-22879]
- auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
- auth/oci: Update plugin to v0.14.2 [GH-22805]
- core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
- core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace), which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
- core: Bump Go version to 1.21.1.
- database/couchbase: Update plugin to v0.9.3 [GH-22854]
- database/couchbase: Update plugin to v0.9.4 [GH-22871]
- database/elasticsearch: Update plugin to v0.13.3 [GH-22696]
- database/mongodbatlas: Update plugin to v0.10.1 [GH-22655]
- database/redis-elasticache: Update plugin to v0.2.2 [GH-22584]
- database/redis-elasticache: Update plugin to v0.2.3 [GH-22598]
- database/redis: Update plugin to v0.2.2 [GH-22654]
- database/snowflake: Update plugin to v0.9.0 [GH-22516]
- events: Log level for processing an event dropped from info to debug. [GH-22997]
- events:
data_path
will include full data path of secret, including name. [GH-22487] - replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
- sdk/logical/events:
EventSender
interface method is nowSendEvent
instead ofSend
. [GH-22487] - secrets/ad: Update plugin to v0.16.1 [GH-22856]
- secrets/alicloud: Update plugin to v0.15.1 [GH-22533]
- secrets/azure: Update plugin to v0.16.2 [GH-22799]
- secrets/azure: Update plugin to v0.16.3 [GH-22824]
- secrets/gcp: Update plugin to v0.17.0 [GH-22746]
- secrets/gcpkms: Update plugin to v0.15.1 [GH-22757]
- secrets/keymgmt: Update plugin to v0.9.3
- secrets/kubernetes: Update plugin to v0.6.0 [GH-22823]
- secrets/kv: Update plugin to v0.16.1 [GH-22716]
- secrets/mongodbatlas: Update plugin to v0.10.1 [GH-22748]
- secrets/openldap: Update plugin to v0.11.2 [GH-22734]
- secrets/terraform: Update plugin to v0.7.3 [GH-22907]
- secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
- storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]
- telemetry: Replace
vault.rollback.attempt.{MOUNT_POINT}
andvault.route.rollback.{MOUNT_POINT}
metrics withvault.rollback.attempt
andvault.route.rollback metrics
by default. Added a telemetry configurationadd_mount_point_rollback_metrics
which, when set to true, causes vault to emit the metrics with mount points in their names. [GH-22400]
FEATURES:
- Certificate Issuance External Policy Service (CIEPS) (enterprise): Allow highly-customizable operator control of certificate validation and generation through the PKI Secrets Engine.
- Copyable KV v2 paths in UI: KV v2 secret paths are copyable for use in CLI commands or API calls [GH-22551]
- Dashboard UI: Dashboard is now available in the UI as the new landing page. [GH-21057]
- Database Static Role Advanced TTL Management: Adds the ability to rotate
- Event System: Add subscribe capability and subscribe_event_types to policies for events. [GH-22474] static roles on a defined schedule. [GH-22484]
- GCP IAM Support: Adds support for IAM-based authentication to MySQL and PostgreSQL backends using Google Cloud SQL. [GH-22445]
- Improved KV V2 UI: Updated and restructured secret engine for KV (version 2 only) [GH-22559]
- Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.
- Plugin Containers: Vault supports registering, managing, and running plugins inside a container on Linux. [GH-22712]
- SAML Auth Method (enterprise): Enable users to authenticate with Vault using their identity in a SAML Identity Provider.
- Seal High Availability Beta (enterprise): operators can try out configuring more than one automatic seal for resilience against seal provider outages. Not for production use at this time.
- Secrets Sync (enterprise): Add the ability to synchronize KVv2 secret with external secrets manager solutions.
- UI LDAP secrets engine: Add LDAP secrets engine to the UI. [GH-20790]
IMPROVEMENTS:
- Bump github.com/hashicorp/go-plugin version v1.4.9 -> v1.4.10 [GH-20966]
- api: add support for cloning a Client's tls.Config. [GH-21424]
- api: adding a new api sys method for replication status [GH-20995]
- audit: add core audit events experiment [GH-21628]
- auth/aws: Added support for signed GET requests for authenticating to vault using the aws iam method. [GH-10961]
- auth/azure: Add support for azure workload identity authentication (see issue #18257). Update go-kms-wrapping dependency to include PR #155 [GH-22994]
- auth/azure: Added Azure API configurable retry options [GH-23059]
- auth/cert: Adds support for requiring hexadecimal-encoded non-string certificate extension values [GH-21830]
- auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
- auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
- auto-auth: added support for LDAP auto-auth [GH-21641]
- aws/auth: Adds a new config field
use_sts_region_from_client
which allows for using dynamic regional sts endpoints based on Authorization header when using IAM-based authentication. [GH-21960] - command/server: add
-dev-tls-san
flag to configure subject alternative names for the certificate generated when using-dev-tls
. [GH-22657] - core (ent) : Add field that allows lease-count namespace quotas to be inherited by child namespaces.
- core : Add field that allows rate-limit namespace quotas to be inherited by child namespaces. [GH-22452]
- core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
- core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
- core: Add a new periodic metric to track the number of available policies,
vault.policy.configured.count
. [GH-21010] - core: Fix OpenAPI representation and
-output-policy
recognition of some non-standard sudo paths [GH-21772] - core: Fix regexes for
sys/raw/
andsys/leases/lookup/
to match prevailing conventions [GH-21760] - core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
- core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy [GH-22304]
- core: add a listener configuration "chroot_namespace" that forces requests to use a namespace hierarchy
- core: remove unnecessary *BarrierView field from backendEntry struct [GH-20933]
- core: use Go stdlib functionalities instead of explicit byte/string conversions [GH-21854]
- eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
- events: Allow subscriptions to multiple namespaces [GH-22540]
- events: Enabled by default [GH-22815]
- events: WebSocket subscriptions add support for boolean filter expressions [GH-22835]
- framework: Make it an error for
CreateOperation
to be defined without anExistenceCheck
, thereby fixing misleadingx-vault-createSupported
in OpenAPI [GH-18492] - kmip (enterprise): Add namespace lock and unlock support [GH-21925]
- openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
- openapi: Fix generated types for duration strings [GH-20841]
- openapi: Fix generation of correct fields in some rarer cases [GH-21942]
- openapi: Fix response definitions for list operations [GH-21934]
- openapi: List operations are now given first-class representation in the OpenAPI document, rather than sometimes being overlaid with a read operation at the same path [GH-21723]
- plugins: Containerized plugins can be configured to still work when running with systemd's PrivateTmp=true setting. [GH-23215]
- replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- sdk/framework: Adds replication state helper for backends to check for read-only storage [GH-21743]
- secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
- secrets/db: Remove the
service_account_json
parameter when reading DB connection details [GH-23256] - secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
- secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
- secrets/transit: Add support to create CSRs from keys in transit engine and import/export x509 certificates [GH-21081]
- storage/dynamodb: Added three permit pool metrics for the DynamoDB backend,
pending_permits
,active_permits
, andpool_size
. [GH-21742] - storage/etcd: Make etcd parameter MaxCallSendMsgSize configurable [GH-12666]
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]
- ui: Add API Explorer link to Sidebar, under Tools. [GH-21578]
- ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [GH-23193]
- ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
- ui: Adds mount configuration details to Kubernetes secrets engine configuration view [GH-22926]
- ui: Adds tidy_revoked_certs to PKI tidy status page [GH-23232]
- ui: Adds warning before downloading KV v2 secret values [GH-23260]
- ui: Display minus icon for empty MaskedInput value. Show MaskedInput for KV secrets without values [GH-22039]
- ui: JSON diff view available in "Create New Version" form for KV v2 [GH-22593]
- ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
- ui: Move access to KV V2 version diff view to toolbar in Version History [GH-23200]
- ui: Update pki mount configuration details to match the new mount configuration details pattern [GH-23166]
- ui: add example modal to policy form [GH-21583]
- ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
- ui: display CertificateCard instead of MaskedInput for certificates in PKI [GH-22160]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
- ui: implement hashicorp design system alert component [GH-21375]
- ui: update detail views that render ttl durations to display full unit instead of letter (i.e. 'days' instead of 'd') [GH-20697]
- ui: update unseal and DR operation token flow components [GH-21871]
- ui: upgrade Ember to 4.12 [GH-22122]
DEPRECATIONS:
- auth/centrify: Centrify plugin is deprecated as of 1.15, slated for removal in 1.17 [GH-23050]
BUG FIXES:
- activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
- agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
- agent: Fix "generate-config" command documentation URL [GH-21466]
- api/client: Fix deadlock in client.CloneWithHeaders when used alongside other client methods. [GH-22410]
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- audit: Prevent panic due to nil pointer receiver for audit header formatting. [GH-22694]
- auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
- auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
- auth/token: Fix parsing of
auth/token/create
fields to avoid incorrect warnings about ignored parameters [GH-18556] - awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
respects
AWS_ROLE_ARN
,AWS_WEB_IDENTITY_TOKEN_FILE
, andAWS_ROLE_SESSION_NAME
. [GH-21951] - cli: Avoid printing "Success" message when
-field
flag is provided during avault write
. [GH-21546] - cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to
table
. [GH-22818] - core (enterprise): Fix sentinel policy check logic so that sentinel policies are not used when Sentinel feature isn't licensed.
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
- core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
- core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
- core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
- core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: All subloggers now reflect configured log level on reload. [GH-22038]
- core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
- core: Fixes list password policy to include those with names containing / characters. [GH-23155]
- core: fix race when updating a mount's route entry tainted status and incoming requests [GH-21640]
- events: Ensure subscription resources are cleaned up on close. [GH-23042]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- identity/mfa: Fixes to OpenAPI representation and returned error codes for
identity/mfa/method/*
APIs [GH-20879] - identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- openapi: Fix response schema for PKI Issue requests [GH-21449]
- openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
- plugins: Containerized plugins can be run with mlock enabled. [GH-23215]
- plugins: Fix instance where Vault could fail to kill broken/unresponsive plugins. [GH-22914]
- plugins: Fix instance where broken/unresponsive plugins could cause Vault to hang. [GH-22914]
- plugins: Runtime catalog returns 404 instead of 500 when reading a runtime that does not exist [GH-23171]
- plugins:
vault plugin runtime list
can successfully list plugin runtimes with GET [GH-23171] - raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
- replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- replication (enterprise): Sort cluster addresses returned by echo requests, so that primary-addrs only gets persisted when the set of addrs changes.
- replication (enterprise): update primary cluster address after DR failover
- sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
- secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
- secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
- secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
- secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
- secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
- secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error:
no managed key found with uuid
. [GH-21316] - secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns [GH-22126]
- secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
- secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
- secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
- secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
- serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
- storage/consul: Consul service registration tags are now case-sensitive. [GH-6483]
- storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
- ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
- ui: Adds missing values to details view after generating PKI certificate [GH-21635]
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: Fix display for "Last Vault Rotation" timestamp for static database roles which was not rendering or copyable [GH-22519]
- ui: Fix styling for username input when editing a user [GH-21771]
- ui: Fix styling for viewing certificate in kubernetes configuration [GH-21968]
- ui: Fix the issue where confirm delete dropdown is being cut off [GH-23066]
- ui: Fixed an issue where editing an SSH role would clear
default_critical_options
anddefault_extension
if left unchanged. [GH-21739] - ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
- ui: Fixes filter and search bug in secrets engines [GH-23123]
- ui: Fixes form field label tooltip alignment [GH-22832]
- ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
- ui: Fixes login screen display issue with Safari browser [GH-21582]
- ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
- ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
- ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]
- ui: correct doctype for index.html [GH-22153]
- ui: don't exclude features present on license [GH-22855]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394] - ui: fixes long namespace names overflow in the sidebar
- ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
- ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]
SECURITY:
- core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see CVE-2023-6337 & HCSEC-2023-34)
CHANGES:
- identity (enterprise): POST requests to the
/identity/entity/merge
endpoint are now always forwarded from standbys to the active node. [GH-24325]
BUG FIXES:
- agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [GH-24252]
- api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
- core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
- ui: Fix payload sent when disabling replication [GH-24292]
CHANGES:
- core: Bump Go version to 1.20.11.
IMPROVEMENTS:
- core (enterprise): Speed up unseal when using namespaces
- secrets/pki: do not check TLS validity on ACME requests redirected to https [GH-22521]
- ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
- ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [GH-23700]
BUG FIXES:
- activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
- auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
- core/config: Use correct HCL config value when configuring
log_requests_level
. [GH-24058] - core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
- replication (enterprise): disallow configuring paths filter for a mount path that does not exist
- secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
- secrets/transit: Fix a panic when attempting to export a public RSA key [GH-24054]
- ui: Fix error when tuning token auth configuration within namespace [GH-24147]
SECURITY:
- core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]
CHANGES:
- auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
- secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]
FEATURES:
- cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]
IMPROVEMENTS:
- storage/etcd: etcd should only return keys when calling List() [GH-23872]
BUG FIXES:
- api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured on the request. [GH-23861]
- core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
- core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
- core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
- core: Revert PR causing memory consumption bug [GH-23986]
- core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
- core: fix bug where deadlock detection was always on for expiration and quotas.
These can now be configured individually with
detect_deadlocks
. [GH-23902] - core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
- expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]
CHANGES:
- core: Bump Go version to 1.20.10.
- replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
IMPROVEMENTS:
- api/plugins: add
tls-server-name
arg for plugin registration [GH-23549] - core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
- ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [GH-23747]
BUG FIXES:
- command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
- events: Ignore sending context to give more time for events to send [GH-23500]
- expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
- kmip (enterprise): Improve handling of failures due to storage replication issues.
- kmip (enterprise): Return a structure in the response for query function Query Server Information.
- mongo-db: allow non-admin database for root credential rotation [GH-23240]
- replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
- replication (enterprise): Fix a missing unlock when changing replication state
- secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [GH-23010]
- secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [GH-23278]
- secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
- secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
- secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
- secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
- storage/consul: fix a bug where an active node in a specific sort of network partition could continue to write data to Consul after a new leader is elected potentially causing data loss or corruption for keys with many concurrent writers. For Enterprise clusters this could cause corruption of the merkle trees leading to failure to complete merkle sync without a full re-index. [GH-23013]
- ui: Decode the connection url for display on the connection details page [GH-23695]
- ui: Fix AWS secret engine to allow empty policy_document field. [GH-23470]
- ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [GH-23331]
- ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [GH-23516]
SECURITY:
- sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [HSEC-2023-29]
CHANGES:
- core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
IMPROVEMENTS:
- ui: Add pagination to PKI roles, keys, issuers, and certificates list pages [GH-23193]
- ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
- ui: Adds tidy_revoked_certs to PKI tidy status page [GH-23232]
- ui: Adds warning before downloading KV v2 secret values [GH-23260]
BUG FIXES:
- core: Fixes list password policy to include those with names containing / characters. [GH-23155]
- secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
- ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
- ui: Fix the issue where confirm delete dropdown is being cut off [GH-23066]
- ui: Fixes filter and search bug in secrets engines [GH-23123]
- ui: don't exclude features present on license [GH-22855]
SECURITY:
- secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [GH-22852, HSEC-2023-28]
CHANGES:
- core: Bump Go version to 1.20.8.
FEATURES:
- ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
IMPROVEMENTS:
- auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
- core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
- kmip (enterprise): reduce latency of KMIP operation handling
BUG FIXES:
- cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to
table
. [GH-22818] - core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
- core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
- core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
- core: All subloggers now reflect configured log level on reload. [GH-22038]
- kmip (enterprise): fix date handling error with some re-key operations
- raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
- replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
- secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
- ui: fixes long namespace names overflow in the sidebar
CHANGES:
- auth/azure: Update plugin to v0.16.0 [GH-22277]
- core: Bump Go version to 1.20.7.
- database/snowflake: Update plugin to v0.9.0 [GH-22516]
IMPROVEMENTS:
- auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
- core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- kmip (enterprise): Add namespace lock and unlock support [GH-21925]
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
- ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
- website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]
BUG FIXES:
- activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
- agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
- core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
- secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
- secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
- secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394] - ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
- ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]
SECURITY
- auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [GH-21282, HSEC-2023-24]
- core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [HSEC_2023-23]
CHANGES:
- core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace), which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
- secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
- storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]
IMPROVEMENTS:
- core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
- eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
- openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
- replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
- secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
- secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
- sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]
BUG FIXES:
- agent: Fix "generate-config" command documentation URL [GH-21466]
- auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
- auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
- auth/token: Fix parsing of
auth/token/create
fields to avoid incorrect warnings about ignored parameters [GH-18556] - awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
respects
AWS_ROLE_ARN
,AWS_WEB_IDENTITY_TOKEN_FILE
, andAWS_ROLE_SESSION_NAME
. [GH-21951] - core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
- core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
- identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
- openapi: Fix response schema for PKI Issue requests [GH-21449]
- openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
- replication (enterprise): update primary cluster address after DR failover
- secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
- secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
- secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
- secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error:
no managed key found with uuid
. [GH-21316] - secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
- secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
- serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
- ui: Adds missing values to details view after generating PKI certificate [GH-21635]
- ui: Fixed an issue where editing an SSH role would clear
default_critical_options
anddefault_extension
if left unchanged. [GH-21739] - ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
- ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
- ui: Fixes login screen display issue with Safari browser [GH-21582]
- ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
- ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
- ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]
SECURITY:
- ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [HSEC-2023-17]
BREAKING CHANGES:
- secrets/pki: Maintaining running count of certificates will be turned off by default. To re-enable keeping these metrics available on the tidy status endpoint, enable maintain_stored_certificate_counts on tidy-config, to also publish them to the metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]
CHANGES:
- auth/alicloud: Updated plugin from v0.14.0 to v0.15.0 [GH-20758]
- auth/azure: Updated plugin from v0.13.0 to v0.15.0 [GH-20816]
- auth/centrify: Updated plugin from v0.14.0 to v0.15.1 [GH-20745]
- auth/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20725]
- auth/jwt: Updated plugin from v0.15.0 to v0.16.0 [GH-20799]
- auth/kubernetes: Update plugin to v0.16.0 [GH-20802]
- core: Bump Go version to 1.20.5.
- core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. [GH-20834]
- core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
- database/couchbase: Updated plugin from v0.9.0 to v0.9.2 [GH-20764]
- database/redis-elasticache: Updated plugin from v0.2.0 to v0.2.1 [GH-20751]
- replication (enterprise): Add a new parameter for the update-primary API call that allows for setting of the primary cluster addresses directly, instead of via a token.
- secrets/ad: Updated plugin from v0.10.1-0.20230329210417-0b2cdb26cf5d to v0.16.0 [GH-20750]
- secrets/alicloud: Updated plugin from v0.5.4-beta1.0.20230330124709-3fcfc5914a22 to v0.15.0 [GH-20787]
- secrets/aure: Updated plugin from v0.15.0 to v0.16.0 [GH-20777]
- secrets/database/mongodbatlas: Updated plugin from v0.9.0 to v0.10.0 [GH-20882]
- secrets/database/snowflake: Updated plugin from v0.7.0 to v0.8.0 [GH-20807]
- secrets/gcp: Updated plugin from v0.15.0 to v0.16.0 [GH-20818]
- secrets/keymgmt: Updated plugin to v0.9.1
- secrets/kubernetes: Update plugin to v0.5.0 [GH-20802]
- secrets/mongodbatlas: Updated plugin from v0.9.1 to v0.10.0 [GH-20742]
- secrets/pki: Allow issuance of root CAs without AIA, when templated AIA information includes issuer_id. [GH-21209]
- secrets/pki: Warning when issuing leafs from CSRs with basic constraints. In the future, issuance of non-CA leaf certs from CSRs with asserted IsCA Basic Constraints will be prohibited. [GH-20654]
FEATURES:
- AWS Static Roles: The AWS Secrets Engine can manage static roles configured by users. [GH-20536]
- Automated License Utilization Reporting: Added automated license utilization reporting, which sends minimal product-license metering data to HashiCorp without requiring you to manually collect and report them.
- Environment Variables through Vault Agent: Introducing a new process-supervisor mode for Vault Agent which allows injecting secrets as environment variables into a child process using a new
env_template
configuration stanza. The process-supervisor configuration can be generated with a newvault agent generate-config
helper tool. [GH-20530] - MongoDB Atlas Database Secrets: Adds support for client certificate credentials [GH-20425]
- MongoDB Atlas Database Secrets: Adds support for generating X.509 certificates on dynamic roles for user authentication [GH-20882]
- NEW PKI Workflow in UI: Completes generally available rollout of new PKI UI that provides smoother mount configuration and a more guided user experience [GH-pki-ui-improvements]
- Secrets/Auth Plugin Multiplexing: The plugin will be multiplexed when run as an external plugin by vault versions that support secrets/auth plugin multiplexing (> 1.12) [GH-19215]
- Sidebar Navigation in UI: A new sidebar navigation panel has been added in the UI to replace the top navigation bar. [GH-19296]
- Vault PKI ACME Server: Support for the ACME certificate lifecycle management protocol has been added to the Vault PKI Plugin. This allows standard ACME clients, such as the EFF's certbot and the CNCF's k8s cert-manager, to request certificates from a Vault server with no knowledge of Vault APIs or authentication mechanisms. For public-facing Vault instances, we recommend requiring External Account Bindings (EAB) to limit the ability to request certificates to only authenticated clients. [GH-20752]
- Vault Proxy: Introduced Vault Proxy, a new subcommand of the Vault binary that can be invoked using
vault proxy -config=config.hcl
. It currently has the same feature set as Vault Agent's API proxy, but the two may diverge in the future. We plan to deprecate the API proxy functionality of Vault Agent in a future release. [GH-20548] - OCI Auto-Auth: Add OCI (Oracle Cloud Infrastructure) auto-auth method [GH-19260]
IMPROVEMENTS:
-
- api: Add Config.TLSConfig method to fetch the TLS configuration from a client config. [GH-20265]
-
- physical/etcd: Upgrade etcd3 client to v3.5.7 [GH-20261]
- activitylog: EntityRecord protobufs now contain a ClientType field for distinguishing client sources. [GH-20626]
- agent: Add integration tests for agent running in process supervisor mode [GH-20741]
- agent: Add logic to validate env_template entries in configuration [GH-20569]
- agent: Added
reload
option to cert auth configuration in case of external renewals of local x509 key-pairs. [GH-19002] - agent: JWT auto-auth has a new config option,
remove_jwt_follows_symlinks
(default: false), that, if set to true will now remove the JWT, instead of the symlink to the JWT, if a symlink to a JWT has been provided in thepath
option, and theremove_jwt_after_reading
config option is set to true (default). [GH-18863] - agent: Vault Agent now reports its name and version as part of the User-Agent header in all requests issued. [GH-19776]
- agent: initial implementation of a process runner for injecting secrets via environment variables via vault agent [GH-20628]
- api: GET ... /sys/internal/counters/activity?current_billing_period=true now results in a response which contains the full billing period [GH-20694]
- api:
/sys/internal/counters/config
endpoint now contains read-onlyminimum_retention_months
. [GH-20150] - api:
/sys/internal/counters/config
endpoint now contains read-onlyreporting_enabled
andbilling_start_timestamp
fields. [GH-20086] - api: property based testing for LifetimeWatcher sleep duration calculation [GH-17919]
- audit: add plugin metadata, including plugin name, type, version, sha256, and whether plugin is external, to audit logging [GH-19814]
- audit: forwarded requests can now contain host metadata on the node it was sent 'from' or a flag to indicate that it was forwarded.
- auth/cert: Better return OCSP validation errors during login to the caller. [GH-20234]
- auth/kerberos: Enable plugin multiplexing auth/kerberos: Upgrade plugin dependencies [GH-20771]
- auth/ldap: allow configuration of alias dereferencing in LDAP search [GH-18230]
- auth/ldap: allow providing the LDAP password via an env var when authenticating via the CLI [GH-18225]
- auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. [GH-19247]
- build: Prefer GOBIN when set over GOPATH/bin when building the binary [GH-19862]
- cli: Add walkSecretsTree helper function, which recursively walks secrets rooted at the given path [GH-20464]
- cli: Improve addPrefixToKVPath helper [GH-20488]
- command/server (enterprise): -dev-three-node now creates perf standbys instead of regular standbys. [GH-20629]
- command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
VAULT_PPROF_WRITE_TO_FILE=true
is set on the server. [GH-20609] - command/server: New -dev-cluster-json writes a file describing the dev cluster in -dev and -dev-three-node modes, plus -dev-three-node now enables unauthenticated metrics and pprof requests. [GH-20224]
- core (enterprise): add configuration for license reporting [GH-19891]
- core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
- core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
- core (enterprise): vault server command now allows for opt-out of automated
reporting via the
OPTOUT_LICENSE_REPORTING
environment variable. [GH-3939] - core, secrets/pki, audit: Update dependency go-jose to v3 due to v2 deprecation. [GH-20559]
- core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
- core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
- core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
- core: include namespace path in granting_policies block of audit log
- core: include reason for ErrReadOnly on PBPWF writing failures
- core: report intermediate error messages during request forwarding [GH-20643]
- core:provide more descriptive error message when calling enterprise feature paths in open-source [GH-18870]
- database/elasticsearch: Upgrade plugin dependencies [GH-20767]
- database/mongodb: upgrade mongo driver to 1.11 [GH-19954]
- database/redis: Upgrade plugin dependencies [GH-20763]
- http: Support responding to HEAD operation from plugins [GH-19520]
- openapi: Add openapi response definitions to /sys defined endpoints. [GH-18633]
- openapi: Add openapi response definitions to pki/config_*.go [GH-18376]
- openapi: Add openapi response definitions to vault/logical_system_paths.go defined endpoints. [GH-18515]
- openapi: Consistently stop Vault server on exit in gen_openapi.sh [GH-19252]
- openapi: Improve operationId/request/response naming strategy [GH-19319]
- openapi: add openapi response definitions to /sys/internal endpoints [GH-18542]
- openapi: add openapi response definitions to /sys/rotate endpoints [GH-18624]
- openapi: add openapi response definitions to /sys/seal endpoints [GH-18625]
- openapi: add openapi response definitions to /sys/tool endpoints [GH-18626]
- openapi: add openapi response definitions to /sys/version-history, /sys/leader, /sys/ha-status, /sys/host-info, /sys/in-flight-req [GH-18628]
- openapi: add openapi response definitions to /sys/wrapping endpoints [GH-18627]
- openapi: add openapi response defintions to /sys/auth endpoints [GH-18465]
- openapi: add openapi response defintions to /sys/capabilities endpoints [GH-18468]
- openapi: add openapi response defintions to /sys/config and /sys/generate-root endpoints [GH-18472]
- openapi: added ability to validate response structures against openapi schema for test clusters [GH-19043]
- sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
- sdk: Add new docker-based cluster testing framework to the sdk. [GH-20247]
- secrets/ad: upgrades dependencies [GH-19829]
- secrets/alicloud: upgrades dependencies [GH-19846]
- secrets/consul: Improve error message when ACL bootstrapping fails. [GH-20891]
- secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]
- secrets/gcpkms: Enable plugin multiplexing secrets/gcpkms: Upgrade plugin dependencies [GH-20784]
- secrets/mongodbatlas: upgrades dependencies [GH-19861]
- secrets/openldap: upgrades dependencies [GH-19993]
- secrets/pki: Add missing fields to tidy-status, include new last_auto_tidy_finished field. [GH-20442]
- secrets/pki: Add warning when issuer lacks KeyUsage during CRL rebuilds; expose in logs and on rotation. [GH-20253]
- secrets/pki: Allow determining existing issuers and keys on import. [GH-20441]
- secrets/pki: Include CA serial number, key UUID on issuers list endpoint. [GH-20276]
- secrets/pki: Limit ACME issued certificates NotAfter TTL to a maximum of 90 days [GH-20981]
- secrets/pki: Support TLS-ALPN-01 challenge type in ACME for DNS certificate identifiers. [GH-20943]
- secrets/pki: add subject key identifier to read key response [GH-20642]
- secrets/postgresql: Add configuration to scram-sha-256 encrypt passwords on Vault before sending them to PostgreSQL [GH-19616]
- secrets/terraform: upgrades dependencies [GH-19798]
- secrets/transit: Add support to import public keys in transit engine and allow encryption and verification of signed data [GH-17934]
- secrets/transit: Allow importing RSA-PSS OID (1.2.840.113549.1.1.10) private keys via BYOK. [GH-19519]
- secrets/transit: Respond to writes with updated key policy, cache configuration. [GH-20652]
- secrets/transit: Support BYOK-encrypted export of keys to securely allow synchronizing specific keys and version across clusters. [GH-20736]
- ui: Add download button for each secret value in KV v2 [GH-20431]
- ui: Add filtering by auth type and auth name to the Authentication Method list view. [GH-20747]
- ui: Add filtering by engine type and engine name to the Secret Engine list view. [GH-20481]
- ui: Adds whitespace warning to secrets engine and auth method path inputs [GH-19913]
- ui: Remove the Bulma CSS framework. [GH-19878]
- ui: Update Web CLI with examples and a new
kv-get
command for reading kv v2 data and metadata [GH-20590] - ui: Updates UI javascript dependencies [GH-19901]
- ui: add allowed_managed_keys field to secret engine mount options [GH-19791]
- ui: adds warning for commas in stringArray inputs and updates tooltip help text to remove references to comma separation [GH-20163]
- ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]
- website/docs: Add rotate root documentation for azure secrets engine [GH-19187]
- website/docs: fix database static-user sample payload [GH-19170]
BUG FIXES:
- agent: Fix agent generate-config to accept -namespace, VAULT_NAMESPACE, and other client-modifying flags. [GH-21297]
- agent: Fix bug with 'cache' stanza validation [GH-20934]
- api: Addressed a couple of issues that arose as edge cases for the -output-policy flag. Specifically around properly handling list commands, distinguishing kv V1/V2, and correctly recognizing protected paths. [GH-19160]
- api: Properly Handle nil identity_policies in Secret Data [GH-20636]
- auth/ldap: Set default value for
max_page_size
properly [GH-20453] - auth/token: Fix cubbyhole and revocation for legacy service tokens [GH-19416]
- cli/kv: add -mount flag to kv list [GH-19378]
- core (enterprise): Don't delete backend stored data that appears to be filterable on this secondary if we don't have a corresponding mount entry.
- core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT
new_token
forwarding is set. When this occurred, this would result in the following error to the client:error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue
. - core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
- core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
- core (enterprise): Fix panic when using invalid accessor for control-group request
- core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
- core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
- core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
- core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert
sscGenCounter
resulting in 412 errors. - core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
- core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
- core: Don't exit just because we think there's a potential deadlock. [GH-21342]
- core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
- core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
- core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
- identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
- license (enterprise): Fix bug where license would update even if the license didn't change.
- openapi: Small fixes for OpenAPI display attributes. Changed "log-in" to "login" [GH-20285]
- plugin/reload: Fix a possible data race with rollback manager and plugin reload [GH-19468]
- replication (enterprise): Fix a caching issue when replicating filtered data to a performance secondary. This resulted in the data being set to nil in the cache and a "invalid value" error being returned from the API.
- replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
- replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
- replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
- replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
- replication (enterprise): Fix regression causing token creation against a role with a new entity alias to be incorrectly forwarded from perf standbys. [GH-21100]
- replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
- replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
- sdk/backend: prevent panic when computing the zero value for a
TypeInt64
schema field. [GH-18729] - secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
- secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
- secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
- secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
- secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
- secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
- secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
- sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
- shamir: change mul and div implementations to be constant-time [GH-19495]
- ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
- ui: Fix secret render when path includes %. Resolves #11616. [GH-20430]
- ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
- ui: fixes auto_rotate_period ttl input for transit keys [GH-20731]
- ui: fixes bug in kmip role form that caused
operation_all
to persist after deselecting all operation checkboxes [GH-19139] - ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]
- ui: wait for wanted message event during OIDC callback instead of using the first message event [GH-18521]
SECURITY:
- core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see CVE-2023-6337 & HCSEC-2023-34)
CHANGES:
- identity (enterprise): POST requests to the
/identity/entity/merge
endpoint are now always forwarded from standbys to the active node. [GH-24325]
BUG FIXES:
- api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
- core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
- ui: Fix payload sent when disabling replication [GH-24292]
CHANGES:
- core: Bump Go version to 1.20.11.
IMPROVEMENTS:
- core (enterprise): Speed up unseal when using namespaces
- ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
BUG FIXES:
- activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
- auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
- core/config: Use correct HCL config value when configuring
log_requests_level
. [GH-24057] - core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
- replication (enterprise): disallow configuring paths filter for a mount path that does not exist
- secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
- ui: Fix error when tuning token auth configuration within namespace [GH-24147]
SECURITY:
- core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]
CHANGES:
- auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
- secrets/mongodbatlas: Update plugin to v0.9.2 [GH-23849]
FEATURES:
- cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]
IMPROVEMENTS:
- storage/etcd: etcd should only return keys when calling List() [GH-23872]
BUG FIXES:
- api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured on the request. [GH-23861]
- core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
- core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
- core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
- core: Revert PR causing memory consumption bug [GH-23986]
- core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
- core: fix bug where deadlock detection was always on for expiration and quotas.
These can now be configured individually with
detect_deadlocks
. [GH-23902] - core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
- expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]
CHANGES:
- core: Bump Go version to 1.20.10.
- replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
IMPROVEMENTS:
- api/plugins: add
tls-server-name
arg for plugin registration [GH-23549] - core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
BUG FIXES:
- command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
- events: Ignore sending context to give more time for events to send [GH-23500]
- expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
- kmip (enterprise): Improve handling of failures due to storage replication issues.
- kmip (enterprise): Return a structure in the response for query function Query Server Information.
- mongo-db: allow non-admin database for root credential rotation [GH-23240]
- replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
- replication (enterprise): Fix a missing unlock when changing replication state
- secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
- secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
- secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
- secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
CHANGES:
- core: Bump Go version to 1.20.7.
IMPROVEMENTS:
- core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
BUG FIXES:
- activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
- core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
- secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22331]
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394] - ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
SECURITY:
- sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [HSEC-2023-29]
CHANGES:
- core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
IMPROVEMENTS:
- ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
BUG FIXES:
- core: Fixes list password policy to include those with names containing / characters. [GH-23155]
- secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
- ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
- ui: Fixes old pki's filter and search roles page bug [GH-22810]
- ui: don't exclude features present on license [GH-22855]
SECURITY:
- secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [GH-22852, HSEC-2023-28]
CHANGES:
- core: Bump Go version to 1.20.8.
- database/snowflake: Update plugin to v0.7.3 [GH-22591]
FEATURES:
- ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
IMPROVEMENTS:
- auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
- core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
- kmip (enterprise): reduce latency of KMIP operation handling
BUG FIXES:
- cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to
table
. [GH-22818] - core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
- core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
- core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
- core: All subloggers now reflect configured log level on reload. [GH-22038]
- kmip (enterprise): fix date handling error with some re-key operations
- raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
- replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
CHANGES:
- core: Bump Go version to 1.20.7.
IMPROVEMENTS:
- core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
BUG FIXES:
- activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
- core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
- secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22331]
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394] - ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
SECURITY:
- auth/ldap: Normalize HTTP response codes when invalid credentials are provided to prevent user enumeration. This vulnerability, CVE-2023-3462, is fixed in Vault 1.14.1 and 1.13.5. [GH-21282, HSEC-2023-24]
- core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [HSEC_2023-23]
CHANGES:
- core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace), which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
- secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
IMPROVEMENTS:
- core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
- core: Add a new periodic metric to track the number of available policies,
vault.policy.configured.count
. [GH-21010] - replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
- secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
- sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]
BUG FIXES:
- auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21799]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
- identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
- replication (enterprise): update primary cluster address after DR failover
- secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21632]
- secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error:
no managed key found with uuid
. [GH-21316] - secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
- secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
- secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
- serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
- ui: Fixed an issue where editing an SSH role would clear
default_critical_options
anddefault_extension
if left unchanged. [GH-21739] - ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]
BREAKING CHANGES:
- secrets/pki: Maintaining running count of certificates will be turned off by default. To re-enable keeping these metrics available on the tidy status endpoint, enable maintain_stored_certificate_counts on tidy-config, to also publish them to the metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]
CHANGES:
- core: Bump Go version to 1.20.5.
FEATURES:
- Automated License Utilization Reporting: Added automated license utilization reporting, which sends minimal product-license metering data to HashiCorp without requiring you to manually collect and report them.
- core (enterprise): Add background worker for automatic reporting of billing information. [GH-19625]
IMPROVEMENTS:
- api: GET ... /sys/internal/counters/activity?current_billing_period=true now results in a response which contains the full billing period [GH-20694]
- api:
/sys/internal/counters/config
endpoint now contains read-onlyminimum_retention_months
. [GH-20150] - api:
/sys/internal/counters/config
endpoint now contains read-onlyreporting_enabled
andbilling_start_timestamp
fields. [GH-20086] - core (enterprise): add configuration for license reporting [GH-19891]
- core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
- core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
- core (enterprise): vault server command now allows for opt-out of automated
reporting via the
OPTOUT_LICENSE_REPORTING
environment variable. [GH-3939] - core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
- core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
- ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]
BUG FIXES:
- agent: Fix bug with 'cache' stanza validation [GH-20934]
- core (enterprise): Don't delete backend stored data that appears to be filterable on this secondary if we don't have a corresponding mount entry.
- core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
- core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
- core: Don't exit just because we think there's a potential deadlock. [GH-21342]
- core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
- identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
- replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
- replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
- replication (enterprise): Fix regression causing token creation against a role with a new entity alias to be incorrectly forwarded from perf standbys. [GH-21100]
- storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
CHANGES:
- core: Bump Go version to 1.20.4.
- core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
- replication (enterprise): Add a new parameter for the update-primary API call that allows for setting of the primary cluster addresses directly, instead of via a token.
- storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]
IMPROVEMENTS:
- Add debug symbols back to builds to fix Dynatrace support [GH-20519]
- audit: add a
mount_point
field to audit requests and response entries [GH-20411] - autopilot: Update version to v0.2.0 to add better support for respecting min quorum [GH-19472]
- command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
VAULT_PPROF_WRITE_TO_FILE=true
is set on the server. [GH-20609] - core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
- core: include namespace path in granting_policies block of audit log
- core: report intermediate error messages during request forwarding [GH-20643]
- openapi: Fix generated types for duration strings [GH-20841]
- sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
- secrets/pki: add subject key identifier to read key response [GH-20642]
BUG FIXES:
- api: Properly Handle nil identity_policies in Secret Data [GH-20636]
- auth/ldap: Set default value for
max_page_size
properly [GH-20453] - cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
- cli: disable printing flags warnings messages for the ssh command [GH-20502]
- command/server: fixes panic in Vault server command when running in recovery mode [GH-20418]
- core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
- core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
- core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
- core/identity: Allow updates of only the custom-metadata for entity alias. [GH-20368]
- core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
- core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
- core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
- replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
- replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
- secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint. [GH-20354]
- secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
- secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
- secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions. secrets/transit: Fix bug related to shorter dedicated HMAC key sizing. sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
- ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
- ui: fixes issue creating mfa login enforcement from method enforcements tab [GH-20603]
- ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]
CHANGES:
- core: Bump Go version to 1.20.3.
SECURITY:
- core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD which may have allowed an attacker to conduct a padding oracle attack. This vulnerability, CVE-2023-2197, affects Vault from 1.13.0 up to 1.13.1 and was fixed in 1.13.2. [HCSEC-2023-14]
IMPROVEMENTS:
- Add debug symbols back to builds to fix Dynatrace support [GH-20294]
- cli/namespace: Add detailed flag to output additional namespace information such as namespace IDs and custom metadata. [GH-20243]
- core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
- core: Add a
raft
sub-field to thestorage
andha_storage
details provided by the/sys/config/state/sanitized
endpoint in order to include themax_entry_size
. [GH-20044] - core: include reason for ErrReadOnly on PBPWF writing failures
- sdk/ldaputil: added
connection_timeout
to tune connection timeout duration for all LDAP plugins. [GH-20144] - secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]
- sys/wrapping: Add example how to unwrap without authentication in Vault [GH-20109]
- ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [GH-19116]
BUG FIXES:
- auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
- command/server: Fix incorrect paths in generated config for
-dev-tls
flag on Windows [GH-20257] - core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT
new_token
forwarding is set. When this occurred, this would result in the following error to the client:error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue
. - core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
- core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert
sscGenCounter
resulting in 412 errors. - core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
- helper/random: Fix race condition in string generator helper [GH-19875]
- kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
- pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
- replication (enterprise): Fix a caching issue when replicating filtered data to a performance secondary. This resulted in the data being set to nil in the cache and a "invalid value" error being returned from the API.
- replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
- sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates. auth/cert: Fix OCSP validation against Vault's PKI engine. [GH-20181]
- secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [GH-20034]
- secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [GH-20057]
- secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [GH-20058]
- secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
- secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
- ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
- ui: Fix bad link to namespace when namespace name includes
.
[GH-19799] - ui: fixes browser console formatting for help command output [GH-20064]
- ui: fixes remaining doc links to include /vault in path [GH-20070]
- ui: remove use of htmlSafe except when first sanitized [GH-20235]
- website/docs: Fix Kubernetes Auth Code Example to use the correct whitespace in import. [GH-20216]
SECURITY:
- storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-12]
- secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-11]
- core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-10]
IMPROVEMENTS:
- auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for
VAULT_AUTH_CONFIG_GITHUB_TOKEN
environment variable when writing Github config [GH-19244] - core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
- core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
- database/elasticsearch: Update error messages resulting from Elasticsearch API errors [GH-19545]
- events: Suppress log warnings triggered when events are sent but the events system is not enabled. [GH-19593]
BUG FIXES:
- agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [GH-19483]
- core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
- core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
- kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
- kmip (enterprise): Fix a problem forwarding some requests to the active node.
- openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
- secrets/ldap: Invalidates WAL entry for static role if
password_policy
has changed. [GH-19640] - secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [GH-19624]
- secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
- ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [GH-19428]
- ui: fixes SSH engine config deletion [GH-19448]
- ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
- ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [GH-19541]
- ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
- ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
SECURITY:
- secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating
secret is unsupported by this backend
will be thrown by the lease manager. [GH-18874] - auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [HSEC-2023-07]
CHANGES:
- auth/alicloud: require the
role
field on login [GH-19005] - auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
- auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users. This will only be used internally for implementing user lockout. [GH-17104]
- core: Bump Go version to 1.20.1.
- core: Vault version has been moved out of sdk and into main vault module. Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [GH-14229]
- logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [GH-17822]
- plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without
builtin
in their metadata remain unaffected. [GH-18051] - plugins:
GET /database/config/:name
endpoint now returns an additionalplugin_version
field in the response data. [GH-16982] - plugins:
GET /sys/auth/:path/tune
andGET /sys/mounts/:path/tune
endpoints may now return an additionalplugin_version
field in the response data if set. [GH-17167] - plugins:
GET
for/sys/auth
,/sys/auth/:path
,/sys/mounts
, and/sys/mounts/:path
paths now return additionalplugin_version
,running_plugin_version
andrunning_sha256
fields in the response data for each mount. [GH-17167] - sdk: Remove version package, make useragent.String versionless. [GH-19068]
- secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
- secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0 [GH-19063]
- sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can now be used to reload the configs and turns this endpoint on.
- ui: Upgrade Ember to version 4.4.0 [GH-17086]
FEATURES:
- User lockout: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
- Azure Auth Managed Identities: Allow any Azure resource that supports managed identities to authenticate with Vault [GH-19077]
- Azure Auth Rotate Root: Add support for rotate root in Azure Auth engine [GH-19077]
- Event System (Alpha): Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [GH-19194]
- GCP Secrets Impersonated Account Support: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role. [GH-19018]
- Kubernetes Secrets Engine UI: Kubernetes is now available in the UI as a supported secrets engine. [GH-17893]
- New PKI UI: Add beta support for new and improved PKI UI [GH-18842]
- PKI Cross-Cluster Revocations: Revocation information can now be synchronized across primary and performance replica clusters offering a unified CRL/OCSP view of revocations across cluster boundaries. [GH-19196]
- Server UDS Listener: Adding listener to Vault server to serve http request via unix domain socket [GH-18227]
- Transit managed keys: The transit secrets engine now supports configuring and using managed keys
- User Lockout: Adds support to configure the user-lockout behaviour for failed logins to prevent brute force attacks for userpass, approle and ldap auth methods. [GH-19230]
- VMSS Flex Authentication: Adds support for Virtual Machine Scale Set Flex Authentication [GH-19077]
- Namespaces (enterprise): Added the ability to allow access to secrets and more to be shared across namespaces that do not share a namespace hierarchy. Using the new
sys/config/group-policy-application
API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing. - OpenAPI-based Go & .NET Client Libraries (Beta): We have now made available two new [OpenAPI-based Go] & [OpenAPI-based .NET] Client libraries (beta). You can use them to perform various secret management operations easily from your applications.
IMPROVEMENTS:
- Redis ElastiCache DB Engine: Renamed configuration parameters for disambiguation; old parameters still supported for compatibility. [GH-18752]
- Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8 [GH-19100]
- Reduced binary size [GH-17678]
- agent/config: Allow config directories to be specified with -config, and allow multiple -configs to be supplied. [GH-18403]
- agent: Add note in logs when starting Vault Agent indicating if the version differs to the Vault Server. [GH-18684]
- agent: Added
token_file
auto-auth configuration to allow using a pre-existing token for Vault Agent. [GH-18740] - agent: Agent listeners can now be to be the
metrics_only
role, serving only metrics, as part of the listener's new top levelrole
option. [GH-18101] - agent: Configured Vault Agent listeners now listen without the need for caching to be configured. [GH-18137]
- agent: allows some parts of config to be reloaded without requiring a restart. [GH-18638]
- agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
- api: Remove dependency on sdk module. [GH-18962]
- api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
- audit: Add
elide_list_responses
option, providing a countermeasure for a common source of oversized audit log entries [GH-18128] - audit: Include stack trace when audit logging recovers from a panic. [GH-18121]
- auth/alicloud: upgrades dependencies [GH-18021]
- auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
- auth/azure: upgrades dependencies [GH-17857]
- auth/cert: Add configurable support for validating client certs with OCSP. [GH-17093]
- auth/cert: Support listing provisioned CRLs within the mount. [GH-18043]
- auth/cf: Remove incorrect usage of CreateOperation from path_config [GH-19098]
- auth/gcp: Upgrades dependencies [GH-17858]
- auth/oidc: Adds
abort_on_error
parameter to CLI login command to help in non-interactive contexts [GH-19076] - auth/oidc: Adds ability to set Google Workspace domain for groups search [GH-19076]
- auth/token (enterprise): Allow batch token creation in perfStandby nodes
- auth: Allow naming login MFA methods and using those names instead of IDs in satisfying MFA requirement for requests. Make passcode arguments consistent across login MFA method types. [GH-18610]
- auth: Provide an IP address of the requests from Vault to a Duo challenge after successful authentication. [GH-18811]
- autopilot: Update version to v.0.2.0 to add better support for respecting min quorum
- cli/kv: improve kv CLI to remove data or custom metadata using kv patch [GH-18067]
- cli/pki: Add List-Intermediates functionality to pki client. [GH-18463]
- cli/pki: Add health-check subcommand to evaluate the health of a PKI instance. [GH-17750]
- cli/pki: Add pki issue command, which creates a CSR, has a vault mount sign it, then reimports it. [GH-18467]
- cli/pki: Added "Reissue" command which allows extracting fields from an existing certificate to create a new certificate. [GH-18499]
- cli/pki: Change the pki health-check --list default config output to JSON so it's a usable configuration file [GH-19269]
- cli: Add support for creating requests to existing non-KVv2 PATCH-capable endpoints. [GH-17650]
- cli: Add transit import key helper commands for BYOK to Transit/Transform. [GH-18887]
- cli: Support the -format=raw option, to read non-JSON Vault endpoints and original response bodies. [GH-14945]
- cli: updated
vault operator rekey
prompts to describe recovery keys when-target=recovery
[GH-18892] - client/pki: Add a new command verify-sign which checks the relationship between two certificates. [GH-18437]
- command/server: Environment variable keys are now logged at startup. [GH-18125]
- core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
- core/identity: Add machine-readable output to body of response upon alias clash during entity merge [GH-17459]
- core/server: Added an environment variable to write goroutine stacktraces to a temporary file for SIGUSR2 signals. [GH-17929]
- core: Add RPCs to read and update userFailedLoginInfo map
- core: Add experiments system and
events.alpha1
experiment. [GH-18682] - core: Add read support to
sys/loggers
andsys/loggers/:name
endpoints [GH-17979] - core: Add user lockout field to config and configuring this for auth mount using auth tune to prevent brute forcing in auth methods [GH-17338]
- core: Add vault.core.locked_users telemetry metric to emit information about total number of locked users. [GH-18718]
- core: Added sys/locked-users endpoint to list locked users. Changed api endpoint from sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] to sys/locked-users/[mount_accessor]/unlock/[alias_identifier]. [GH-18675]
- core: Added sys/lockedusers/[mount_accessor]/unlock/[alias_identifier] endpoint to unlock an user with given mount_accessor and alias_identifier if locked [GH-18279]
- core: Added warning to /sys/seal-status and vault status command if potentially dangerous behaviour overrides are being used. [GH-17855]
- core: Implemented background thread to update locked user entries every 15 minutes to prevent brute forcing in auth methods. [GH-18673]
- core: License location is no longer cache exempt, meaning sys/health will not contribute as greatly to storage load when using consul as a storage backend. [GH-17265]
- core: Update protoc from 3.21.5 to 3.21.7 [GH-17499]
- core: add
detect_deadlocks
config to optionally detect core state deadlocks [GH-18604] - core: added changes for user lockout workflow. [GH-17951]
- core: parallelize backend initialization to improve startup time for large numbers of mounts. [GH-18244]
- database/postgres: Support multiline strings for revocation statements. [GH-18632]
- database/redis-elasticache: changed config argument names for disambiguation [GH-19044]
- database/snowflake: Allow parallel requests to Snowflake [GH-17593]
- hcp/connectivity: Add foundational OSS support for opt-in secure communication between self-managed Vault nodes and HashiCorp Cloud Platform [GH-18228]
- hcp/connectivity: Include HCP organization, project, and resource ID in server startup logs [GH-18315]
- hcp/connectivity: Only update SCADA session metadata if status changes [GH-18585]
- hcp/status: Add cluster-level status information [GH-18351]
- hcp/status: Expand node-level status information [GH-18302]
- logging: Vault Agent supports logging to a specified file path via environment variable, CLI or config [GH-17841]
- logging: Vault agent and server commands support log file and log rotation. [GH-18031]
- migration: allow parallelization of key migration for
vault operator migrate
in order to speed up a migration. [GH-18817] - namespaces (enterprise): Add new API,
sys/config/group-policy-application
, to allow group policies to be configurable to apply to a group inany
namespace. The default,within_namespace_hierarchy
, is the current behaviour. - openapi: Add default values to thing_mount_path parameters [GH-18935]
- openapi: Add logic to generate openapi response structures [GH-18192]
- openapi: Add openapi response definitions to approle/path_login.go & approle/path_tidy_user_id.go [GH-18772]
- openapi: Add openapi response definitions to approle/path_role.go [GH-18198]
- openapi: Change gen_openapi.sh to generate schema with generic mount paths [GH-18934]
- openapi: Mark request body objects as required [GH-17909]
- openapi: add openapi response defintions to /sys/audit endpoints [GH-18456]
- openapi: generic_mount_paths: Move implementation fully into server, rather than partially in plugin framework; recognize all 4 singleton mounts (auth/token, cubbyhole, identity, system) rather than just 2; change parameter from
{mountPath}
to{<type>_mount_path}
[GH-18663] - plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
- plugins: Allow selecting builtin plugins by their reported semantic version of the form
vX.Y.Z+builtin
orvX.Y.Z+builtin.vault
. [GH-17289] - plugins: Let Vault unseal and mount deprecated builtin plugins in a deactivated state if this is not the first unseal after an upgrade. [GH-17879]
- plugins: Mark app-id auth method Removed and remove the plugin code. [GH-18039]
- plugins: Mark logical database plugins Removed and remove the plugin code. [GH-18039]
- sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
- sdk: Add response schema validation method framework/FieldData.ValidateStrict and two test helpers (ValidateResponse, ValidateResponseData) [GH-18635]
- sdk: Adding FindResponseSchema test helper to assist with response schema validation in tests [GH-18636]
- secrets/aws: Update dependencies [PR-17747] [GH-17747]
- secrets/azure: Adds ability to persist an application for the lifetime of a role. [GH-19096]
- secrets/azure: upgrades dependencies [GH-17964]
- secrets/db/mysql: Add
tls_server_name
andtls_skip_verify
parameters [GH-18799] - secrets/gcp: Upgrades dependencies [GH-17871]
- secrets/kubernetes: Add /check endpoint to determine if environment variables are set [GH-18] [GH-18587]
- secrets/kubernetes: add /check endpoint to determine if environment variables are set [GH-19084]
- secrets/kv: Emit events on write if events system enabled [GH-19145]
- secrets/kv: make upgrade synchronous when no keys to upgrade [GH-19056]
- secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
- secrets/pki: Add a new API that returns the serial numbers of revoked certificates on the local cluster [GH-17779]
- secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
- secrets/pki: Added a new API that allows external actors to craft a CRL through JSON parameters [GH-18040]
- secrets/pki: Allow UserID Field (https://www.rfc-editor.org/rfc/rfc1274#section-9.3.1) to be set on Certificates when allowed by role [GH-18397]
- secrets/pki: Allow issuer creation, import to change default issuer via
default_follows_latest_issuer
. [GH-17824] - secrets/pki: Allow templating performance replication cluster- and issuer-specific AIA URLs. [GH-18199]
- secrets/pki: Allow tidying of expired issuer certificates. [GH-17823]
- secrets/pki: Allow tidying of the legacy ca_bundle, improving startup on post-migrated, seal-wrapped PKI mounts. [GH-18645]
- secrets/pki: Respond with written data to
config/auto-tidy
,config/crl
, androles/:role
. [GH-18222] - secrets/pki: Return issuer_id and issuer_name on /issuer/:issuer_ref/json endpoint. [GH-18482]
- secrets/pki: Return new fields revocation_time_rfc3339 and issuer_id to existing certificate serial lookup api if it is revoked [GH-17774]
- secrets/ssh: Allow removing SSH host keys from the dynamic keys feature. [GH-18939]
- secrets/ssh: Evaluate ssh validprincipals user template before splitting [GH-16622]
- secrets/transit: Add an optional reference field to batch operation items which is repeated on batch responses to help more easily correlate inputs with outputs. [GH-18243]
- secrets/transit: Add associated_data parameter for additional authenticated data in AEAD ciphers [GH-17638]
- secrets/transit: Add support for PKCSv1_5_NoOID RSA signatures [GH-17636]
- secrets/transit: Allow configuring whether upsert of keys is allowed. [GH-18272]
- storage/raft: Add
retry_join_as_non_voter
config option. [GH-18030] - storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
- sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems. [GH-17789]
- sys/internal/inspect: Creates an endpoint to look to inspect internal subsystems.
- ui: Add algorithm-signer as a SSH Secrets Engine UI field [GH-10299]
- ui: Add inline policy creation when creating an identity entity or group [GH-17749]
- ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [GH-18787]
- ui: Enable typescript for future development [GH-17927]
- ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [GH-18342]
- ui: Update language on database role to "Connection name" [GH-18261] [GH-18350]
- ui: adds allowed_response_headers as param for secret engine mount config [GH-19216]
- ui: consolidate all tag usage [GH-17866]
- ui: mfa: use proper request id generation [GH-17835]
- ui: remove wizard [GH-19220]
- ui: update DocLink component to use new host url: developer.hashicorp.com [GH-18374]
- ui: update TTL picker for consistency [GH-18114]
- ui: use the combined activity log (partial + historic) API for client count dashboard and remove use of monthly endpoint [GH-17575]
- vault/diagnose: Upgrade
go.opentelemetry.io/otel
,go.opentelemetry.io/otel/sdk
,go.opentelemetry.io/otel/trace
to v1.11.2 [GH-18589]
DEPRECATIONS:
- secrets/ad: Marks the Active Directory (AD) secrets engine as deprecated. [GH-19334]
BUG FIXES:
- api: Remove timeout logic from ReadRaw functions and add ReadRawWithContext [GH-18708]
- auth/alicloud: fix regression in vault login command that caused login to fail [GH-19005]
- auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
- auth/approle: Fix
token_bound_cidrs
validation when using /32 blocks for role and secret ID [GH-18145] - auth/cert: Address a race condition accessing the loaded crls without a lock [GH-18945]
- auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#173] [GH-18716]
- auth/kubernetes: fixes and dep updates for the auth-kubernetes plugin (see plugin changelog for details) [GH-19094]
- auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
- auth: Deduplicate policies prior to ACL generation [GH-17914]
- cli/kv: skip formatting of nil secrets for patch and put with field parameter set [GH-18163]
- cli/pki: Decode integer values properly in health-check configuration file [GH-19265]
- cli/pki: Fix path for role health-check warning messages [GH-19274]
- cli/pki: Properly report permission issues within health-check mount tune checks [GH-19276]
- cli/transit: Fix import, import-version command invocation [GH-19373]
- cli: Fix issue preventing kv commands from executing properly when the mount path provided by
-mount
flag and secret key path are the same. [GH-17679] - cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
- cli: Remove empty table heading for
vault secrets list -detailed
output. [GH-17577] - command/namespace: Fix vault cli namespace patch examples in help text. [GH-18143]
- core (enterprise): Fix missing quotation mark in error message
- core (enterprise): Fix panic that could occur with SSCT alongside invoking external plugins for revocation.
- core (enterprise): Fix panic when using invalid accessor for control-group request
- core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
- core (enterprise): Supported storage check in
vault server
command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other thanraft
orconsul
. - core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
- core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
- core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
- core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
- core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
- core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
- core/auth: Return a 403 instead of a 500 for wrapping requests when token is not provided [GH-18859]
- core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
- core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
- core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
- core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
- core/quotas: Fix issue with improper application of default rate limit quota exempt paths [GH-18273]
- core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
- core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
- core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
- core: Fix spurious
permission denied
for all HelpOperations on sudo-protected paths [GH-18568] - core: Fix vault operator init command to show the right curl string with -output-curl-string and right policy hcl with -output-policy [GH-17514]
- core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
- core: Linux packages now have vendor label and set the default label to HashiCorp. This fix is implemented for any future releases, but will not be updated for historical releases.
- core: Prevent panics in
sys/leases/lookup
,sys/leases/revoke
, andsys/leases/renew
endpoints if providedlease_id
is null [GH-18951] - core: Refactor lock grabbing code to simplify stateLock deadlock investigations [GH-17187]
- core: fix GPG encryption to support subkeys. [GH-16224]
- core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
- core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
- core: fix race when using SystemView.ReplicationState outside of a request context [GH-17186]
- core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [GH-18923]
- core: trying to unseal with the wrong key now returns HTTP 400 [GH-17836]
- credential/cert: adds error message if no tls connection is found during the AliasLookahead operation [GH-17904]
- database/mongodb: Fix writeConcern set to be applied to any query made on the database [GH-18546]
- expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [GH-18401]
- kmip (enterprise): Fix a problem with some multi-part MAC Verify operations.
- kmip (enterprise): Only require data to be full blocks on encrypt/decrypt operations using CBC and ECB block cipher modes.
- license (enterprise): Fix bug where license would update even if the license didn't change.
- licensing (enterprise): update autoloaded license cache after reload
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
- openapi: fix gen_openapi.sh script to correctly load vault plugins [GH-17752]
- plugins/kv: KV v2 returns 404 instead of 500 for request paths that incorrectly include a trailing slash. [GH-17339]
- plugins: Allow running external plugins which override deprecated builtins. [GH-17879]
- plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
- plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [GH-18173]
- plugins: Only report deprecation status for builtin plugins. [GH-17816]
- plugins: Skip loading but still mount data associated with missing plugins on unseal. [GH-18189]
- plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [GH-18051]
- replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
- sdk: Don't panic if system view or storage methods called during plugin setup. [GH-18210]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
- secrets/ad: Fix bug where updates to config would fail if password isn't provided [GH-19061]
- secrets/gcp: fix issue where IAM bindings were not preserved during policy update [GH-19018]
- secrets/mongodb-atlas: Fix a bug that did not allow WAL rollback to handle partial failures when creating API keys [GH-19111]
- secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [GH-18184]
- secrets/pki: Allow patching issuer to set an empty issuer name. [GH-18466]
- secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
- secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
- secrets/pki: Fixes duplicate otherName in certificates created by the sign-verbatim endpoint. [GH-16700]
- secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [GH-18938]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- secrets/pki: Revert fix for PR 18938 [GH-19037]
- secrets/pki: consistently use UTC for CA's notAfter exceeded error message [GH-18984]
- secrets/pki: fix race between tidy's cert counting and tidy status reporting. [GH-18899]
- secrets/transit: Do not warn about unrecognized parameter 'batch_input' [GH-18299]
- secrets/transit: Honor
partial_success_response_code
on decryption failures. [GH-18310] - server/config: Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [GH-19311]
- storage/raft (enterprise): An already joined node can rejoin by wiping storage and re-issueing a join request, but in doing so could transiently become a non-voter. In some scenarios this resulted in loss of quorum. [GH-18263]
- storage/raft: Don't panic on unknown raft ops [GH-17732]
- storage/raft: Fix race with follower heartbeat tracker during teardown. [GH-18704]
- ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
- ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [GH-19071]
- ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
- ui: Remove
default
and adddefault-service
anddefault-batch
to UI token_type for auth mount and tuning. [GH-19290] - ui: Remove default value of 30 to TtlPicker2 if no value is passed in. [GH-17376]
- ui: allow selection of "default" for ssh algorithm_signer in web interface [GH-17894]
- ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [GH-18651]
- ui: fix entity policies list link to policy show page [GH-17950]
- ui: fixes query parameters not passed in api explorer test requests [GH-18743]
- ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [GH-19403]
- ui: show Get credentials button for static roles detail page when a user has the proper permissions. [GH-19190]
SECURITY:
- secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]
IMPROVEMENTS:
- auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
- kmip (enterprise): reduce latency of KMIP operation handling
BUG FIXES:
- cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to
table
. [GH-22818] - core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
- core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
- raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
- replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
CHANGES:
- core: Bump Go version to 1.19.12.
IMPROVEMENTS:
- core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
BUG FIXES:
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
- core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
- secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22332]
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
SECURITY:
- core/namespace (enterprise): An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9. [HSEC_2023-23]
CHANGES:
- secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
IMPROVEMENTS:
- core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
- replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
- secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
BUG FIXES:
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
- identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
- replication (enterprise): update primary cluster address after DR failover
- secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21633]
- secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error:
no managed key found with uuid
. [GH-21316] - secrets/pki: Support setting both maintain_stored_certificate_counts=false and publish_stored_certificate_count_metrics=false explicitly in tidy config. [GH-20664]
- secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
- secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
- serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
- ui: Fixed an issue where editing an SSH role would clear
default_critical_options
anddefault_extension
if left unchanged. [GH-21739]
BREAKING CHANGES:
- secrets/pki: Maintaining running count of certificates will be turned off by default. To re-enable keeping these metrics available on the tidy status endpoint, enable maintain_stored_certificate_counts on tidy-config, to also publish them to the metrics consumer, enable publish_stored_certificate_count_metrics . [GH-18186]
CHANGES:
- core: Bump Go version to 1.19.10.
FEATURES:
- Automated License Utilization Reporting: Added automated license utilization reporting, which sends minimal product-license metering data to HashiCorp without requiring you to manually collect and report them.
- core (enterprise): Add background worker for automatic reporting of billing information. [GH-19625]
IMPROVEMENTS:
- api: GET ... /sys/internal/counters/activity?current_billing_period=true now results in a response which contains the full billing period [GH-20694]
- api:
/sys/internal/counters/config
endpoint now contains read-onlyminimum_retention_months
. [GH-20150] - api:
/sys/internal/counters/config
endpoint now contains read-onlyreporting_enabled
andbilling_start_timestamp
fields. [GH-20086] - core (enterprise): add configuration for license reporting [GH-19891]
- core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
- core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
- core (enterprise): vault server command now allows for opt-out of automated
reporting via the
OPTOUT_LICENSE_REPORTING
environment variable. [GH-3939] - core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
- core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
- ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]
BUG FIXES:
- core (enterprise): Don't delete backend stored data that appears to be filterable on this secondary if we don't have a corresponding mount entry.
- core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
- core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
- core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
- core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
- core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
- core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
- core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will have its own changelog entry. Fix wrong lock used in ListAuths link meta interface implementation. [GH-21260]
- core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
- core: Don't exit just because we think there's a potential deadlock. [GH-21342]
- core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
- identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
- replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
- replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
- storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
SECURITY:
- ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [HSEC-2023-17]
CHANGES:
- core: Bump Go version to 1.19.9.
- core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
IMPROVEMENTS:
- audit: add a
mount_point
field to audit requests and response entries [GH-20411] - command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
VAULT_PPROF_WRITE_TO_FILE=true
is set on the server. [GH-20609] - core: include namespace path in granting_policies block of audit log
- openapi: Fix generated types for duration strings [GH-20841]
- sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
- secrets/pki: add subject key identifier to read key response [GH-20642]
- ui: update TTL picker for consistency [GH-18114]
BUG FIXES:
- api: Properly Handle nil identity_policies in Secret Data [GH-20636]
- auth/ldap: Set default value for
max_page_size
properly [GH-20453] - cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
- cli: disable printing flags warnings messages for the ssh command [GH-20502]
- core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
- core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
- core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
- core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
- replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
- replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
- secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
- secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions. secrets/transit: Fix bug related to shorter dedicated HMAC key sizing. sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
- ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
CHANGES:
- core: Bump Go version to 1.19.8.
IMPROVEMENTS:
- cli/namespace: Add detailed flag to output additional namespace information such as namespace IDs and custom metadata. [GH-20243]
- core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
- core: Add a
raft
sub-field to thestorage
andha_storage
details provided by the/sys/config/state/sanitized
endpoint in order to include themax_entry_size
. [GH-20044] - sdk/ldaputil: added
connection_timeout
to tune connection timeout duration for all LDAP plugins. [GH-20144] - secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]
BUG FIXES:
- auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
- command/server: Fix incorrect paths in generated config for
-dev-tls
flag on Windows [GH-20257] - core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT
new_token
forwarding is set. When this occurred, this would result in the following error to the client:error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue
. - core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
- core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert
sscGenCounter
resulting in 412 errors. - core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
- helper/random: Fix race condition in string generator helper [GH-19875]
- kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
- openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
- pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
- replication (enterprise): Fix a caching issue when replicating filtered data to a performance secondary. This resulted in the data being set to nil in the cache and a "invalid value" error being returned from the API.
- replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
- secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
- secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
- ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
- ui: Fix bad link to namespace when namespace name includes
.
[GH-19799] - ui: fixes browser console formatting for help command output [GH-20064]
- ui: remove use of htmlSafe except when first sanitized [GH-20235]
SECURITY:
- storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-12]
- secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-11]
- core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-10]
IMPROVEMENTS:
- auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for
VAULT_AUTH_CONFIG_GITHUB_TOKEN
environment variable when writing Github config [GH-19244] - core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
- core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
BUG FIXES:
- cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
- core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
- core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
- kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
- kmip (enterprise): Fix a problem forwarding some requests to the active node.
- openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
- secrets/ldap: Invalidates WAL entry for static role if
password_policy
has changed. [GH-19641] - secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
- ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
- ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
- ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
SECURITY:
- auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [HSEC-2023-07]
CHANGES:
- core: Bump Go version to 1.19.6.
IMPROVEMENTS:
- secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]
- ui: remove wizard [GH-19220]
BUG FIXES:
- auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
- core (enterprise): Fix panic when using invalid accessor for control-group request
- core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
- core: Prevent panics in
sys/leases/lookup
,sys/leases/revoke
, andsys/leases/renew
endpoints if providedlease_id
is null [GH-18951] - license (enterprise): Fix bug where license would update even if the license didn't change.
- replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
- secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [GH-18207]
- secrets/pki: Revert fix for PR 18938 [GH-19037]
- server/config: Use file.Stat when checking file permissions when VAULT_ENABLE_FILE_PERMISSIONS_CHECK is enabled [GH-19311]
- ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
- ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [GH-19071]
- ui: fixes reliance on secure context (https) by removing methods using the Crypto interface [GH-19410]
- ui: show Get credentials button for static roles detail page when a user has the proper permissions. [GH-19190]
CHANGES:
- core: Bump Go version to 1.19.4.
IMPROVEMENTS:
- audit: Include stack trace when audit logging recovers from a panic. [GH-18121]
- command/server: Environment variable keys are now logged at startup. [GH-18125]
- core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
- core: Add read support to
sys/loggers
andsys/loggers/:name
endpoints [GH-17979] - plugins: Let Vault unseal and mount deprecated builtin plugins in a deactivated state if this is not the first unseal after an upgrade. [GH-17879]
- secrets/db/mysql: Add
tls_server_name
andtls_skip_verify
parameters [GH-18799] - secrets/kv: new KVv2 mounts and KVv1 mounts without any keys will upgrade synchronously, allowing for instant use [GH-17406]
- storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
- ui: Added JWT authentication warning message about blocked pop-up windows and web browser settings. [GH-18787]
- ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [GH-18342]
- ui: Update language on database role to "Connection name" [GH-18261] [GH-18350]
BUG FIXES:
- auth/approle: Fix
token_bound_cidrs
validation when using /32 blocks for role and secret ID [GH-18145] - auth/cert: Address a race condition accessing the loaded crls without a lock [GH-18945]
- auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#173] [GH-18716]
- cli/kv: skip formatting of nil secrets for patch and put with field parameter set [GH-18163]
- command/namespace: Fix vault cli namespace patch examples in help text. [GH-18143]
- core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
- core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
- core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
- core/quotas: Fix issue with improper application of default rate limit quota exempt paths [GH-18273]
- core/seal: Fix regression handling of the key_id parameter in seal configuration HCL. [GH-17612]
- core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
- core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [GH-18923]
- database/mongodb: Fix writeConcern set to be applied to any query made on the database [GH-18546]
- expiration: Prevent panics on perf standbys when an irrevocable lease gets deleted. [GH-18401]
- kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
- kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
- kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
- licensing (enterprise): update autoloaded license cache after reload
- plugins: Allow running external plugins which override deprecated builtins. [GH-17879]
- plugins: Listing all plugins while audit logging is enabled will no longer result in an internal server error. [GH-18173]
- plugins: Skip loading but still mount data associated with missing plugins on unseal. [GH-18189]
- sdk: Don't panic if system view or storage methods called during plugin setup. [GH-18210]
- secrets/pki: Address nil panic when an empty POST request is sent to the OCSP handler [GH-18184]
- secrets/pki: Allow patching issuer to set an empty issuer name. [GH-18466]
- secrets/pki: OCSP GET request parameter was not being URL unescaped before processing. [GH-18938]
- secrets/pki: fix race between tidy's cert counting and tidy status reporting. [GH-18899]
- secrets/transit: Do not warn about unrecognized parameter 'batch_input' [GH-18299]
- secrets/transit: Honor
partial_success_response_code
on decryption failures. [GH-18310] - storage/raft (enterprise): An already joined node can rejoin by wiping storage and re-issueing a join request, but in doing so could transiently become a non-voter. In some scenarios this resulted in loss of quorum. [GH-18263]
- storage/raft: Don't panic on unknown raft ops [GH-17732]
- ui: cleanup unsaved auth method ember data record when navigating away from mount backend form [GH-18651]
- ui: fixes query parameters not passed in api explorer test requests [GH-18743]
CHANGES:
- core: Bump Go version to 1.19.3.
- plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without
builtin
in their metadata remain unaffected. [GH-18051]
IMPROVEMENTS:
- secrets/pki: Allow issuer creation, import to change default issuer via
default_follows_latest_issuer
. [GH-17824] - storage/raft: Add
retry_join_as_non_voter
config option. [GH-18030]
BUG FIXES:
- auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
- auth: Deduplicate policies prior to ACL generation [GH-17914]
- cli: Fix issue preventing kv commands from executing properly when the mount path provided by
-mount
flag and secret key path are the same. [GH-17679] - core (enterprise): Supported storage check in
vault server
command will no longer prevent startup. Instead, a warning will be logged if configured to use storage backend other thanraft
orconsul
. - core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
- core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
- core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
- plugins: Only report deprecation status for builtin plugins. [GH-17816]
- plugins: Vault upgrades will no longer fail if a mount has been created using an explicit builtin plugin version. [GH-18051]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
- secrets/azure: add WAL to clean up role assignments if errors occur [GH-18086]
- secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18111]
- secrets/pki: Fix upgrade of missing expiry, delta_rebuild_interval by setting them to the default. [GH-17693]
- ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
- ui: fix entity policies list link to policy show page [GH-17950]
IMPROVEMENTS:
- api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
- database/snowflake: Allow parallel requests to Snowflake [GH-17593]
- plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
- sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
BUG FIXES:
- cli: Remove empty table heading for
vault secrets list -detailed
output. [GH-17577] - core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
- core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
- core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
- core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
- kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
SECURITY:
- secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [HSEC-2022-24]
CHANGES:
- api: Exclusively use
GET /sys/plugins/catalog
endpoint for listing plugins, and adddetails
field to list responses. [GH-17347] - auth:
GET /sys/auth/:name
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - auth:
GET /sys/auth
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - auth:
POST /sys/auth/:type
endpoint response contains a warning forDeprecated
auth methods. [GH-17058] - auth:
auth enable
returns an error andPOST /sys/auth/:type
endpoint reports an error forPending Removal
auth methods. [GH-17005] - core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
- core: Bump Go version to 1.19.2.
- core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
- identity: a request to
/identity/group
that includesmember_group_ids
that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912] - licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license expiration time is before the build date of the binary.
- plugins: Add plugin version to auth register, list, and mount table [GH-16856]
- plugins:
GET /sys/plugins/catalog/:type/:name
endpoint contains deprecation status for builtin plugins. [GH-17077] - plugins:
GET /sys/plugins/catalog/:type/:name
endpoint now returns an additionalversion
field in the response data. [GH-16688] - plugins:
GET /sys/plugins/catalog/
endpoint contains deprecation status indetailed
list. [GH-17077] - plugins:
GET /sys/plugins/catalog
endpoint now returns an additionaldetailed
field in the response data with a list of additional plugin metadata. [GH-16688] - plugins:
plugin info
displays deprecation status for builtin plugins. [GH-17077] - plugins:
plugin list
now accepts a-detailed
flag, which display deprecation status and version info. [GH-17077] - secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
- secrets: All database-specific (standalone DB) secrets engines are now marked
Pending Removal
. [GH-17038] - secrets:
GET /sys/mounts/:name
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - secrets:
GET /sys/mounts
endpoint now returns an additionaldeprecation_status
field in the response data for builtins. [GH-16849] - secrets:
POST /sys/mounts/:type
endpoint response contains a warning forDeprecated
secrets engines. [GH-17058] - secrets:
secrets enable
returns an error andPOST /sys/mount/:type
endpoint reports an error forPending Removal
secrets engines. [GH-17005]
FEATURES:
- GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
- LDAP Secrets Engine: Adds the
ldap
secrets engine with service account check-out functionality for all supported schemas. [GH-17152] - OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
- Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
- Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
- Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
- Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
- HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
- ui: UI support for Okta Number Challenge. [GH-15998]
- Plugin Versioning: Vault supports registering, managing, and running plugins with semantic versions specified.
IMPROVEMENTS:
- core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
- activity (enterprise): Added new clients unit tests to test accuracy of estimates
- agent/auto-auth: Add
exit_on_err
which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091] - agent: Added
disable_idle_connections
configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986] - agent: Added
disable_keep_alives
configuration to disable keep alives in auto-auth, caching and templating. [GH-16479] - agent: JWT auto auth now supports a
remove_jwt_after_reading
config option which defaults to true. [GH-11969] - agent: Send notifications to systemd on start and stop. [GH-9802]
- api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
- api: Add a sentinel error for missing KV secrets [GH-16699]
- auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
- auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses. When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
- auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
- auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
- auth/cert: Add metadata to identity-alias [GH-14751]
- auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
- auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
- auth/gcp: Add support for GCE regional instance groups [GH-16435]
- auth/gcp: Updates dependencies:
google.golang.org/api@v0.83.0
,github.com/hashicorp/go-gcp-common@v0.8.0
. [GH-17160] - auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
- auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
- auth/kerberos: add
add_group_aliases
config to include LDAP groups in Vault group aliases [GH-16890] - auth/kerberos: add
remove_instance_name
parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594] - auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
- auth/oci: Add support for role resolution. [GH-17212]
- auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
- cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
- cli:
auth
andsecrets
list-detailed
commands now show Deprecation Status for builtin plugins. [GH-16849] - cli:
vault plugin list
now has adetails
field in JSON format, and version and type information in table format. [GH-17347] - command/audit: Improve missing type error message [GH-16409]
- command/server: add
-dev-tls
and-dev-tls-cert-dir
subcommands to create a Vault dev server with generated certificates and private key. [GH-16421] - command: Fix shell completion for KV v2 mounts [GH-16553]
- core (enterprise): Add HTTP PATCH support for namespaces with an associated
namespace patch
CLI command - core (enterprise): Add check to
vault server
command to ensure configured storage backend is supported. - core (enterprise): Add custom metadata support for namespaces
- core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
- core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
- core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
- core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas
- core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role
- core/quotas: Added ability to add path suffixes for rate-limit resource quotas [GH-15989]
- core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role [GH-16115]
- core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
- core: Add
sys/loggers
andsys/loggers/:name
endpoints to provide ability to modify logging verbosity [GH-16111] - core: Handle and log deprecated builtin mounts. Introduces
VAULT_ALLOW_PENDING_REMOVAL_MOUNTS
to override shutdown and error when attempting to mountPending Removal
builtin plugins. [GH-17005] - core: Limit activity log client count usage by namespaces [GH-16000]
- core: Upgrade github.com/hashicorp/raft [GH-16609]
- core: remove gox [GH-16353]
- docs: Clarify the behaviour of local mounts in the context of DR replication [GH-16218]
- identity/oidc: Adds support for detailed listing of clients and providers. [GH-16567]
- identity/oidc: Adds the
client_secret_post
token endpoint authentication method. [GH-16598] - identity/oidc: allows filtering the list providers response by an allowed_client_id [GH-16181]
- identity: Prevent possibility of data races on entity creation. [GH-16487]
- physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. [GH-15866]
- plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins [GH-16995]
- plugins: Add Deprecation Status method to builtinregistry. [GH-16846]
- plugins: Added environment variable flag to opt-out specific plugins from multiplexing [GH-16972]
- plugins: Adding version to plugin GRPC interface [GH-17088]
- plugins: Plugin catalog supports registering and managing plugins with semantic version information. [GH-16688]
- replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer.
- secret/nomad: allow reading CA and client auth certificate from /nomad/config/access [GH-15809]
- secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs [GH-16519]
- secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints [GH-16124]
- secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (
cn_validations
). [GH-15996] - secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. [GH-16494]
- secret/transit: Allow importing Ed25519 keys from PKCS#8 with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). [GH-15742]
- secrets/ad: set config default length only if password_policy is missing [GH-16140]
- secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. [GH-17045]
- secrets/database/hana: Add ability to customize dynamic usernames [GH-16631]
- secrets/database/snowflake: Add multiplexing support [GH-17159]
- secrets/gcp: Updates dependencies:
google.golang.org/api@v0.83.0
,github.com/hashicorp/go-gcp-common@v0.8.0
. [GH-17174] - secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0. [GH-17199]
- secrets/kubernetes: upgrade to v0.2.0 [GH-17164]
- secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. [GH-16702]
- secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field [GH-16935]
- secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL [GH-17073]
- secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. [GH-16958]
- secrets/pki: Add ability to periodically rebuild CRL before expiry [GH-16762]
- secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. [GH-16900]
- secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs [GH-16563]
- secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis [GH-17388]
- secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. [GH-16676]
- secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). [GH-16564]
- secrets/pki: Allow revocation via proving possession of certificate's private key [GH-16566]
- secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance [GH-16871]
- secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. [GH-16249]
- secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. [GH-16874]
- secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. [GH-16773]
- secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. [GH-16056]
- secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
- secrets/ssh: Allow the use of Identity templates in the
default_user
field [GH-16351] - secrets/transit: Add a dedicated HMAC key type, which can be used with key import. [GH-16668]
- secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. [GH-17118]
- secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. [GH-16549]
- ssh: Addition of an endpoint
ssh/issue/:role
to allow the creation of signed key pairs [GH-15561] - storage/cassandra: tuning parameters for clustered environments
connection_timeout
,initial_connection_timeout
,simple_retry_policy_retries
. [GH-10467] - storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
- ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. [GH-15852]
- ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated [GH-17139]
- ui: Removed deprecated version of core-js 2.6.11 [GH-15898]
- ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. [GH-16489]
- ui: Replaces non-inclusive terms [GH-17116]
- ui: redirect_to param forwards from auth route when authenticated [GH-16821]
- website/docs: API generate-recovery-token documentation. [GH-16213]
- website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period [GH-16950]
- website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc [GH-17139]
- website/docs: Update replication docs to mention Integrated Storage [GH-16063]
- website/docs: changed to echo for all string examples instead of (<<<) here-string. [GH-9081]
BUG FIXES:
- agent/template: Fix parsing error for the exec stanza [GH-16231]
- agent: Agent will now respect
max_retries
retry configuration even when caching is set. [GH-16970] - agent: Update consul-template for pkiCert bug fixes [GH-16087]
- api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths [GH-15835]
- api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
- api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P.+) endpoints where it was not properly handling /auth/ [GH-15552]
- api: properly handle switching to/from unix domain socket when changing client address [GH-11904]
- auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
- auth/kerberos: Maintain headers set by the client [GH-16636]
- auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17161]
- auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
- command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
- core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. [GH-15583]
- core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts.
- core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
- core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
- core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
- core/managed-keys (enterprise): fix panic when having
cache_disable
true - core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases
- core/quotas: Added globbing functionality on the end of path suffix quota paths [GH-16386]
- core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
- core: Fix panic when the plugin catalog returns neither a plugin nor an error. [GH-17204]
- core: Fixes parsing boolean values for ha_storage backends in config [GH-15900]
- core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
- core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
- database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
- debug: Fix panic when capturing debug bundle on Windows [GH-14399]
- debug: Remove extra empty lines from vault.log when debug command is run [GH-16714]
- identity (enterprise): Fix a data race when creating an entity for a local alias.
- identity/oidc: Adds
claims_supported
to discovery document. [GH-16992] - identity/oidc: Change the
state
parameter of the Authorization Endpoint to optional. [GH-16599] - identity/oidc: Detect invalid
redirect_uri
values sooner in validation of the Authorization Endpoint. [GH-16601] - identity/oidc: Fixes validation of the
request
andrequest_uri
parameters. [GH-16600] - openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions [GH-15552]
- plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
- plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
- plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. [GH-17340]
- quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read [GH-15735]
- replication (enterprise): Fix data race in SaveCheckpoint()
- replication (enterprise): Fix data race in saveCheckpoint.
- replication (enterprise): Fix possible data race during merkle diff/sync
- secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
- secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
- secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
- secrets/kv: Fix
kv get
issue preventing the ability to read a secret when providing a leading slash [GH-16443] - secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers [GH-16865]
- secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
- secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17385]
- secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
- secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
- secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
- secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
- storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
- storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
- storage/raft: Fix retry_join initialization failure [GH-16550]
- storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. [GH-17019]
- ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
- ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
- ui: Fix info tooltip submitting form [GH-16659]
- ui: Fix issue logging in with JWT auth method [GH-16466]
- ui: Fix lease force revoke action [GH-16930]
- ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
- ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear [GH-15681]
- ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
- ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
- vault: Fix a bug where duplicate policies could be added to an identity group. [GH-15638]
CHANGES:
- core: Bump Go version to 1.19.10.
- licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
FEATURES:
- Automated License Utilization Reporting: Added automated license utilization reporting, which sends minimal product-license metering data to HashiCorp without requiring you to manually collect and report them.
- core (enterprise): Add background worker for automatic reporting of billing information. [GH-19625]
IMPROVEMENTS:
- api: GET ... /sys/internal/counters/activity?current_billing_period=true now results in a response which contains the full billing period [GH-20694]
- api:
/sys/internal/counters/config
endpoint now contains read-onlyminimum_retention_months
. [GH-20150] - api:
/sys/internal/counters/config
endpoint now contains read-onlyreporting_enabled
andbilling_start_timestamp
fields. [GH-20086] - core (enterprise): add configuration for license reporting [GH-19891]
- core (enterprise): license updates trigger a reload of reporting and the activity log [GH-20680]
- core (enterprise): support reloading configuration for automated reporting via SIGHUP [GH-20680]
- core (enterprise): vault server command now allows for opt-out of automated
reporting via the
OPTOUT_LICENSE_REPORTING
environment variable. [GH-3939] - core/activity: error when attempting to update retention configuration below the minimum [GH-20078]
- core/activity: generate hyperloglogs containing clientIds for each month during precomputation [GH-16146]
- core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified [GH-16162]
- core/activity: refactor the activity log's generation of precomputed queries [GH-20073]
- core/activity: use monthly hyperloglogs to calculate new clients approximation for current month [GH-16184]
- core: Activity log goroutine management improvements to allow tests to be more deterministic. [GH-17028]
- core: Limit activity log client count usage by namespaces [GH-16000]
- storage/raft: add additional raft metrics relating to applied index and heartbeating; also ensure OSS standbys emit periodic metrics. [GH-12166]
- ui: updates clients configuration edit form state based on census reporting configuration [GH-20125]
BUG FIXES:
- core/activity: add namespace breakdown for new clients when date range spans multiple months, including the current month. [GH-18766]
- core/activity: de-duplicate namespaces when historical and current month data are mixed [GH-18452]
- core/activity: fix the end_date returned from the activity log endpoint when partial counts are computed [GH-17856]
- core/activity: include mount counts when de-duplicating current and historical month data [GH-18598]
- core/activity: report mount paths (rather than mount accessors) in current month activity log counts and include deleted mount paths in precomputed queries. [GH-18916]
- core/activity: return partial month counts when querying a historical date range and no historical data exists. [GH-17935]
- core: Change where we evaluate filtered paths as part of mount operations; this is part of an enterprise bugfix that will have its own changelog entry. [GH-21260]
- core: Do not cache seal configuration to fix a bug that resulted in sporadic auto unseal failures. [GH-21223]
- core: Don't exit just because we think there's a potential deadlock. [GH-21342]
- core: Fix panic in sealed nodes using raft storage trying to emit raft metrics [GH-21249]
- identity: Fixes duplicate groups creation with the same name but unique IDs. [GH-20964]
- replication (enterprise): Fix a race condition with update-primary that could result in data loss after a DR failover
- replication (enterprise): Fix path filters deleting data right after it's written by backend Initialize funcs
SECURITY:
- ui: key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11. [HSEC-2023-17]
CHANGES:
- core: Bump Go version to 1.19.9.
- core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
IMPROVEMENTS:
- command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
VAULT_PPROF_WRITE_TO_FILE=true
is set on the server. [GH-20609] - secrets/pki: add subject key identifier to read key response [GH-20642]
- ui: update TTL picker for consistency [GH-18114]
BUG FIXES:
- api: Properly Handle nil identity_policies in Secret Data [GH-20636]
- auth/ldap: Set default value for
max_page_size
properly [GH-20453] - cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
- core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
- core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
- core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
- core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
- replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
- replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
- secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
CHANGES:
- core: Bump Go version to 1.19.8.
IMPROVEMENTS:
- cli/namespace: Add detailed flag to output additional namespace information such as namespace IDs and custom metadata. [GH-20243]
- core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
- core: Add a
raft
sub-field to thestorage
andha_storage
details provided by the/sys/config/state/sanitized
endpoint in order to include themax_entry_size
. [GH-20044] - sdk/ldaputil: added
connection_timeout
to tune connection timeout duration for all LDAP plugins. [GH-20144]
BUG FIXES:
- auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
- core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT
new_token
forwarding is set. When this occurred, this would result in the following error to the client:error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue
. - core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
- core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert
sscGenCounter
resulting in 412 errors. - core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
- helper/random: Fix race condition in string generator helper [GH-19875]
- openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
- replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
- secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
- secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
- ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
- ui: Fix bad link to namespace when namespace name includes
.
[GH-19799] - ui: fixes browser console formatting for help command output [GH-20064]
- ui: remove use of htmlSafe except when first sanitized [GH-20235]
SECURITY:
- storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-12]
- secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-11]
- core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-10]
IMPROVEMENTS:
- auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for
VAULT_AUTH_CONFIG_GITHUB_TOKEN
environment variable when writing Github config [GH-19244] - core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
- core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
BUG FIXES:
- auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#190] [GH-19720]
- cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
- core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
- core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
- openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
- secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
- ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
- ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
- ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
SECURITY:
- auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [HSEC-2023-07]
CHANGES:
- core: Bump Go version to 1.19.6.
IMPROVEMENTS:
- secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]
BUG FIXES:
- auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
- core (enterprise): Fix panic when using invalid accessor for control-group request
- core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
- core: Prevent panics in
sys/leases/lookup
,sys/leases/revoke
, andsys/leases/renew
endpoints if providedlease_id
is null [GH-18951] - license (enterprise): Fix bug where license would update even if the license didn't change.
- replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
- secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [GH-18208]
- ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
- ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [GH-19071]
- ui: show Get credentials button for static roles detail page when a user has the proper permissions. [GH-19190]
CHANGES:
- core: Bump Go version to 1.19.4.
IMPROVEMENTS:
- command/server: Environment variable keys are now logged at startup. [GH-18125]
- core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
- secrets/db/mysql: Add
tls_server_name
andtls_skip_verify
parameters [GH-18799] - ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [GH-18342]
- ui: Update language on database role to "Connection name" [GH-18261] [GH-18350]
BUG FIXES:
- auth/approle: Fix
token_bound_cidrs
validation when using /32 blocks for role and secret ID [GH-18145] - cli/kv: skip formatting of nil secrets for patch and put with field parameter set [GH-18163]
- core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
- core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
- core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
- core/quotas: Fix issue with improper application of default rate limit quota exempt paths [GH-18273]
- core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
- core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [GH-18923]
- database/mongodb: Fix writeConcern set to be applied to any query made on the database [GH-18546]
- identity (enterprise): Fix a data race when creating an entity for a local alias.
- kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
- kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
- kmip (enterprise): Fix Query operation response that omitted streaming capability and supported profiles.
- licensing (enterprise): update autoloaded license cache after reload
- secrets/pki: Allow patching issuer to set an empty issuer name. [GH-18466]
- secrets/transit: Do not warn about unrecognized parameter 'batch_input' [GH-18299]
- storage/raft (enterprise): An already joined node can rejoin by wiping storage and re-issueing a join request, but in doing so could transiently become a non-voter. In some scenarios this resulted in loss of quorum. [GH-18263]
- storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
- storage/raft: Don't panic on unknown raft ops [GH-17732]
- ui: fixes query parameters not passed in api explorer test requests [GH-18743]
IMPROVEMENTS:
- secrets/pki: Allow issuer creation, import to change default issuer via
default_follows_latest_issuer
. [GH-17824]
BUG FIXES:
- auth/okta: fix a panic for AuthRenew in Okta [GH-18011]
- auth: Deduplicate policies prior to ACL generation [GH-17914]
- cli: Fix issue preventing kv commands from executing properly when the mount path provided by
-mount
flag and secret key path are the same. [GH-17679] - core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
- core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
- core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
- secret/pki: fix bug with initial legacy bundle migration (from < 1.11 into 1.11+) and missing issuers from ca_chain [GH-17772]
- secrets/azure: add WAL to clean up role assignments if errors occur [GH-18085]
- secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18110]
- ui: Fixes issue with not being able to download raft snapshot via service worker [GH-17769]
- ui: fix entity policies list link to policy show page [GH-17950]
IMPROVEMENTS:
- database/snowflake: Allow parallel requests to Snowflake [GH-17594]
- sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]
BUG FIXES:
- core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): fix panic when having
cache_disable
true - core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
- secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
SECURITY:
- secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [HSEC-2022-24]
IMPROVEMENTS:
- agent/auto-auth: Add
exit_on_err
which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091] - agent: Send notifications to systemd on start and stop. [GH-9802]
BUG FIXES:
- auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
- auth/kubernetes: Restore support for JWT signature algorithm ES384 [GH-160] [GH-17162]
- auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
- core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
- core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
- identity/oidc: Adds
claims_supported
to discovery document. [GH-16992] - replication (enterprise): Fix data race in SaveCheckpoint()
- secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
- ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
- ui: Fixes secret version and status menu links transitioning to auth screen [GH-16983]
SECURITY:
- core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [HSEC-2022-18]
CHANGES:
- core: Bump Go version to 1.17.13.
IMPROVEMENTS:
- auth/kerberos: add
add_group_aliases
config to include LDAP groups in Vault group aliases [GH-16890] - auth/kerberos: add
remove_instance_name
parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594] - identity/oidc: Adds the
client_secret_post
token endpoint authentication method. [GH-16598] - storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza [GH-14455]
BUG FIXES:
- api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. [GH-16794]
- auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [GH-16523]
- auth/kerberos: Maintain headers set by the client [GH-16636]
- command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
- core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails
- database/elasticsearch: Fixes a bug in boolean parsing for initialize [GH-16526]
- identity/oidc: Change the
state
parameter of the Authorization Endpoint to optional. [GH-16599] - identity/oidc: Detect invalid
redirect_uri
values sooner in validation of the Authorization Endpoint. [GH-16601] - identity/oidc: Fixes validation of the
request
andrequest_uri
parameters. [GH-16600] - plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic [GH-16673]
- secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
- secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
- secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates [GH-16813]
- secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/*, and /intermediate/set-signed) [GH-16721]
- secrets/pki: LIST issuers endpoint is now unauthenticated. [GH-16830]
- storage/raft: Fix retry_join initialization failure [GH-16550]
- ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
- ui: Fix info tooltip submitting form [GH-16659]
- ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
SECURITY:
- identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [HCSEC-2022-18]
IMPROVEMENTS:
- agent: Added
disable_keep_alives
configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
BUG FIXES:
- core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
- core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
- secrets/kv: Fix
kv get
issue preventing the ability to read a secret when providing a leading slash [GH-16443] - ui: Fix issue logging in with JWT auth method [GH-16466]
SECURITY:
- storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [HSEC-2022-15]
CHANGES:
- core: Bump Go version to 1.17.12.
IMPROVEMENTS:
- agent: Added
disable_idle_connections
configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986] - core: Add
sys/loggers
andsys/loggers/:name
endpoints to provide ability to modify logging verbosity [GH-16111] - secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
BUG FIXES:
- agent/template: Fix parsing error for the exec stanza [GH-16231]
- agent: Update consul-template for pkiCert bug fixes [GH-16087]
- core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
- kmip (enterprise): Return SecretData as supported Object Type.
- plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
- secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
- storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
- transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
- ui: OIDC login type uses localStorage instead of sessionStorage [GH-16170]
SECURITY:
- storage/raft (enterprise): Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [HCSEC-2022-15]
CHANGES:
- auth/aws: Add RoleSession to DisplayName when using assumeRole for authentication [GH-14954]
- auth/kubernetes: If
kubernetes_ca_cert
is unset, and there is no pod-local CA available, an error will be surfaced when writing config instead of waiting for login. [GH-15584] - auth: Remove support for legacy MFA (https://www.vaultproject.io/docs/v1.10.x/auth/mfa) [GH-14869]
- core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [GH-15858]
- core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
- core: Bump Go version to 1.17.11. [GH-go-ver-1110]
- database & storage: Change underlying driver library from lib/pq to pgx. This change affects Redshift & Postgres database secrets engines, and CockroachDB & Postgres storage engines [GH-15343]
- licensing (enterprise): Remove support for stored licenses and associated
sys/license
andsys/license/signed
endpoints in favor of autoloaded licenses. - replication (enterprise): The
/sys/replication/performance/primary/mount-filter
endpoint has been removed. Please use Paths Filter instead. - secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA [GH-15478]
- secrets/kubernetes: Split
additional_metadata
intoextra_annotations
andextra_labels
parameters [GH-15655] - secrets/pki: A new aliased api path (/pki/issuer/:issuer_ref/sign-self-issued) providing the same functionality as the existing API(/pki/root/sign-self-issued) does not require sudo capabilities but the latter still requires it in an effort to maintain backwards compatibility. [GH-15211]
- secrets/pki: Err on unknown role during sign-verbatim. [GH-15543]
- secrets/pki: Existing CRL API (/pki/crl) now returns an X.509 v2 CRL instead of a v1 CRL. [GH-15100]
- secrets/pki: The
ca_chain
response field within issuing (/pki/issue/:role) and signing APIs will now include the root CA certificate if the mount is aware of it. [GH-15155] - secrets/pki: existing Delete Root API (pki/root) will now delete all issuers and keys within the mount path. [GH-15004]
- secrets/pki: existing Generate Root (pki/root/generate/:type), Set Signed Intermediate (/pki/intermediate/set-signed) APIs will add new issuers/keys to a mount instead of warning that an existing CA exists [GH-14975]
- secrets/pki: the signed CA certificate from the sign-intermediate api will now appear within the ca_chain response field along with the issuer's ca chain. [GH-15524]
- ui: Upgrade Ember to version 3.28 [GH-14763]
FEATURES:
- Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise now supports automated upgrades and redundancy zones when using integrated storage.
- KeyMgmt UI: Add UI support for managing the Key Management Secrets Engine [GH-15523]
- Kubernetes Secrets Engine: This new secrets engine generates Kubernetes service account tokens, service accounts, role bindings, and roles dynamically. [GH-15551]
- Non-Disruptive Intermediate/Root Certificate Rotation: This allows import, generation and configuration of any number of keys and/or issuers within a PKI mount, providing operators the ability to rotate certificates in place without affecting existing client configurations. [GH-15277]
- Print minimum required policy for any command: The global CLI flag
-output-policy
can now be used with any command to print out the minimum required policy HCL for that operation, including whether the given path requires the "sudo" capability. [GH-14899] - Snowflake Database Plugin: Adds ability to manage RSA key pair credentials for dynamic and static Snowflake users. [GH-15376]
- Transit BYOK: Allow import of externally-generated keys into the Transit secrets engine. [GH-15414]
- nomad: Bootstrap Nomad ACL system if no token is provided [GH-12451]
- storage/dynamodb: Added
AWS_DYNAMODB_REGION
environment variable. [GH-15054]
IMPROVEMENTS:
- activity: return nil response months in activity log API when no month data exists [GH-15420]
- agent/auto-auth: Add
min_backoff
to the method stanza for configuring initial backoff duration. [GH-15204] - agent: Update consul-template to v0.29.0 [GH-15293]
- agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
- api/monitor: Add log_format option to allow for logs to be emitted in JSON format [GH-15536]
- api: Add ability to pass certificate as PEM bytes to api.Client. [GH-14753]
- api: Add context-aware functions to vault/api for each API wrapper function. [GH-14388]
- api: Added MFALogin() for handling MFA flow when using login helpers. [GH-14900]
- api: If the parameters supplied over the API payload are ignored due to not being what the endpoints were expecting, or if the parameters supplied get replaced by the values in the endpoint's path itself, warnings will be added to the non-empty responses listing all the ignored and replaced parameters. [GH-14962]
- api: KV helper methods to simplify the common use case of reading and writing KV secrets [GH-15305]
- api: Provide a helper method WithNamespace to create a cloned client with a new NS [GH-14963]
- api: Support VAULT_PROXY_ADDR environment variable to allow overriding the Vault client's HTTP proxy. [GH-15377]
- api: Use the context passed to the api/auth Login helpers. [GH-14775]
- api: make ListPlugins parse only known plugin types [GH-15434]
- audit: Add a policy_results block into the audit log that contains the set of policies that granted this request access. [GH-15457]
- audit: Include mount_accessor in audit request and response logs [GH-15342]
- audit: added entity_created boolean to audit log, set when login operations create an entity [GH-15487]
- auth/aws: Add rsa2048 signature type to API [GH-15719]
- auth/gcp: Enable the Google service endpoints used by the underlying client to be customized [GH-15592]
- auth/gcp: Vault CLI now infers the service account email when running on Google Cloud [GH-15592]
- auth/jwt: Adds ability to use JSON pointer syntax for the
user_claim
value. [GH-15593] - auth/okta: Add support for Google provider TOTP type in the Okta auth method [GH-14985]
- auth/okta: Add support for performing the number challenge during an Okta Verify push challenge [GH-15361]
- auth: Globally scoped Login MFA method Get/List endpoints [GH-15248]
- auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
- auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [GH-15469]
- cli/debug: added support for retrieving metrics from DR clusters if
unauthenticated_metrics_access
is enabled [GH-15316] - cli/vault: warn when policy name contains upper-case letter [GH-14670]
- cli: Alternative flag-based syntax for KV to mitigate confusion from automatically appended /data [GH-14807]
- cockroachdb: add high-availability support [GH-12965]
- command/debug: Add log_format flag to allow for logs to be emitted in JSON format [GH-15536]
- command: Support optional '-log-level' flag to be passed to 'operator migrate' command (defaults to info). Also support VAULT_LOG_LEVEL env var. [GH-15405]
- command: Support the optional '-detailed' flag to be passed to 'vault list' command to show ListResponseWithInfo data. Also supports the VAULT_DETAILED env var. [GH-15417]
- core (enterprise): Include
termination_time
insys/license/status
response - core (enterprise): Include termination time in
license inspect
command output - core,transit: Allow callers to choose random byte source including entropy augmentation sources for the sys/tools/random and transit/random endpoints. [GH-15213]
- core/activity: Order month data in ascending order of timestamps [GH-15259]
- core/activity: allow client counts to be precomputed and queried on non-contiguous chunks of data [GH-15352]
- core/managed-keys (enterprise): Allow configuring the number of parallel operations to PKCS#11 managed keys.
- core: Add an export API for historical activity log data [GH-15586]
- core: Add new DB methods that do not prepare statements. [GH-15166]
- core: check uid and permissions of config dir, config file, plugin dir and plugin binaries [GH-14817]
- core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
- core: Include build date in
sys/seal-status
andsys/version-history
endpoints. [GH-14957] - core: Upgrade github.org/x/crypto/ssh [GH-15125]
- kmip (enterprise): Implement operations Query, Import, Encrypt and Decrypt. Improve operations Locate, Add Attribute, Get Attributes and Get Attribute List to handle most supported attributes.
- mfa/okta: migrate to use official Okta SDK [GH-15355]
- sdk: Change OpenAPI code generator to extract request objects into /components/schemas and reference them by name. [GH-14217]
- secrets/consul: Add support for Consul node-identities and service-identities [GH-15295]
- secrets/consul: Vault is now able to automatically bootstrap the Consul ACL system. [GH-10751]
- secrets/database/elasticsearch: Use the new /_security base API path instead of /_xpack/security when managing elasticsearch. [GH-15614]
- secrets/pki: Add not_before_duration to root CA generation, intermediate CA signing paths. [GH-14178]
- secrets/pki: Add support for CPS URLs and User Notice to Policy Information [GH-15751]
- secrets/pki: Allow operators to control the issuing certificate behavior when the requested TTL is beyond the NotAfter value of the signing certificate [GH-15152]
- secrets/pki: Always return CRLs, URLs configurations, even if using the default value. [GH-15470]
- secrets/pki: Enable Patch Functionality for Roles and Issuers (API only) [GH-15510]
- secrets/pki: Have pki/sign-verbatim use the not_before_duration field defined in the role [GH-15429]
- secrets/pki: Warn on empty Subject field during issuer generation (root/generate and root/sign-intermediate). [GH-15494]
- secrets/pki: Warn on missing AIA access information when generating issuers (config/urls). [GH-15509]
- secrets/pki: Warn when
generate_lease
andno_store
are both set totrue
on requests. [GH-14292] - secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode. [GH-15440]
- secrets/ssh: Support for
add_before_duration
in SSH [GH-15250] - sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
- storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
- ui: Allow namespace param to be parsed from state queryParam [GH-15378]
- ui: Default auto-rotation period in transit is 30 days [GH-15474]
- ui: Parse schema refs from OpenAPI [GH-14508]
- ui: Remove stored license references [GH-15513]
- ui: Remove storybook. [GH-15074]
- ui: Replaces the IvyCodemirror wrapper with a custom ember modifier. [GH-14659]
- website/docs: Add usage documentation for Kubernetes Secrets Engine [GH-15527]
- website/docs: added a link to an Enigma secret plugin. [GH-14389]
DEPRECATIONS:
- docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 [GH-15581]
- secrets/consul: Deprecate old parameters "token_type" and "policy" [GH-15550]
- secrets/consul: Deprecate parameter "policies" in favor of "consul_policies" for consistency [GH-15400]
BUG FIXES:
- Fixed panic when adding or modifying a Duo MFA Method in Enterprise
- agent: Fix log level mismatch between ERR and ERROR [GH-14424]
- agent: Redact auto auth token from renew endpoints [GH-15380]
- api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
- api: Fixes bug where OutputCurlString field was unintentionally being copied over during client cloning [GH-14968]
- api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
- auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
- auth/kubernetes: Fix error code when using the wrong service account [GH-15584]
- auth/ldap: The logic for setting the entity alias when
username_as_alias
is set has been fixed. The previous behavior would make a request to the LDAP server to getuser_attr
before discarding it and using the username instead. This would make it impossible for a user to connect if this attribute was missing or had multiple values, even though it would not be used anyway. This has been fixed and the username is now used without making superfluous LDAP searches. [GH-15525] - auth: Fixed erroneous success message when using vault login in case of two-phase MFA [GH-15428]
- auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [GH-15428]
- auth: Fixed two-phase MFA information missing from table format when using vault login [GH-15428]
- auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [GH-15482]
- auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
- auth: load login MFA configuration upon restart [GH-15261]
- cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
- cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
- cli: kv get command now honors trailing spaces to retrieve secrets [GH-15188]
- command: do not report listener and storage types as key not found warnings [GH-15383]
- core (enterprise): Allow local alias create RPCs to persist alias metadata
- core (enterprise): Fix overcounting of lease count quota usage at startup.
- core (enterprise): Fix some races in merkle index flushing code found in testing
- core (enterprise): Handle additional edge cases reinitializing PKCS#11 libraries after login errors.
- core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
- core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
- core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
- core: Fix double counting for "route" metrics [GH-12763]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
- core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
- core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
- core: Limit SSCT WAL checks on perf standbys to raft backends only [GH-15879]
- core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
- core: Prevent metrics generation from causing deadlocks. [GH-15693]
- core: fixed systemd reloading notification [GH-15041]
- core: fixing excessive unix file permissions [GH-14791]
- core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
- core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
- core: renaming the environment variable VAULT_DISABLE_FILE_PERMISSIONS_CHECK to VAULT_ENABLE_FILE_PERMISSIONS_CHECK and adjusting the logic [GH-15452]
- core: report unused or redundant keys in server configuration [GH-14752]
- core: time.After() used in a select statement can lead to memory leak [GH-14814]
- identity: deduplicate policies when creating/updating identity groups [GH-15055]
- mfa/okta: disable client side rate limiting causing delays in push notifications [GH-15369]
- plugin: Fix a bug where plugin reload would falsely report success in certain scenarios. [GH-15579]
- raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
- raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
- replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
- sdk/cidrutil: Only check if cidr contains remote address for IP addresses [GH-14487]
- sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
- sdk: Fix OpenApi spec generator to remove duplicate sha_256 parameter [GH-15163]
- secrets/database: Ensure that a
connection_url
password is redacted in all cases. [GH-14744] - secrets/kv: Fix issue preventing the ability to reset the
delete_version_after
key metadata field to 0s via HTTPPATCH
. [GH-15792] - secrets/pki: CRLs on performance secondary clusters are now automatically rebuilt upon changes to the list of issuers. [GH-15179]
- secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
- secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
- secrets/ssh: Convert role field not_before_duration to seconds before returning it [GH-15559]
- storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
- storage/raft: Forward autopilot state requests on perf standbys to active node. [GH-15493]
- storage/raft: joining a node to a cluster now ignores any VAULT_NAMESPACE environment variable set on the server process [GH-15519]
- ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not accepted in this field. [GH-15046]
- ui: Fix KV secret showing in the edit form after a user creates a new version but doesn't have read capabilities [GH-14794]
- ui: Fix inconsistent behavior in client count calendar widget [GH-15789]
- ui: Fix issue where metadata tab is hidden even though policy grants access [GH-15824]
- ui: Fix issue with KV not recomputing model when you changed versions. [GH-14941]
- ui: Fixed client count timezone for start and end months [GH-15167]
- ui: Fixed unsupported revocation statements field for DB roles [GH-15573]
- ui: Fixes edit auth method capabilities issue [GH-14966]
- ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
- ui: Revert using localStorage in favor of sessionStorage [GH-15769]
- ui: Updated
leasId
toleaseId
in the "Copy Credentials" section of "Generate AWS Credentials" [GH-15685] - ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
- ui: fix form validations ignoring default values and disabling submit button [GH-15560]
- ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
- ui: masked values no longer give away length or location of special characters [GH-15025]
SECURITY:
- auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [HSEC-2023-07]
CHANGES:
- core: Bump Go version to 1.19.6.
IMPROVEMENTS:
- secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]
BUG FIXES:
- auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
- core (enterprise): Fix panic when using invalid accessor for control-group request
- core: Prevent panics in
sys/leases/lookup
,sys/leases/revoke
, andsys/leases/renew
endpoints if providedlease_id
is null [GH-18951] - replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
- secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [GH-18209]
- ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
- ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [GH-19071]
CHANGES:
- core: Bump Go version to 1.19.4.
IMPROVEMENTS:
- command/server: Environment variable keys are now logged at startup. [GH-18125]
- core/fips: use upstream toolchain for FIPS 140-2 compliance again; this will appear as X=boringcrypto on the Go version in Vault server logs.
- secrets/db/mysql: Add
tls_server_name
andtls_skip_verify
parameters [GH-18799] - ui: Prepends "passcode=" if not provided in user input for duo totp mfa method authentication [GH-18342]
- ui: Update language on database role to "Connection name" [GH-18261] [GH-18350]
BUG FIXES:
- auth/approle: Fix
token_bound_cidrs
validation when using /32 blocks for role and secret ID [GH-18145] - auth/token: Fix ignored parameter warnings for valid parameters on token create [GH-16938]
- cli/kv: skip formatting of nil secrets for patch and put with field parameter set [GH-18163]
- core (enterprise): Fix a race condition resulting in login errors to PKCS#11 modules under high concurrency.
- core/managed-keys (enterprise): Limit verification checks to mounts in a key's namespace
- core/quotas (enterprise): Fix a potential deadlock that could occur when using lease count quotas.
- core/quotas: Fix issue with improper application of default rate limit quota exempt paths [GH-18273]
- core: fix bug where context cancellations weren't forwarded to active node from performance standbys.
- core: prevent panic in login mfa enforcement delete after enforcement's namespace is deleted [GH-18923]
- database/mongodb: Fix writeConcern set to be applied to any query made on the database [GH-18546]
- identity (enterprise): Fix a data race when creating an entity for a local alias.
- kmip (enterprise): Fix Destroy operation response that omitted Unique Identifier on some batched responses.
- kmip (enterprise): Fix Locate operation response incompatibility with clients using KMIP versions prior to 1.3.
- licensing (enterprise): update autoloaded license cache after reload
- storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state.
- ui: fixes query parameters not passed in api explorer test requests [GH-18743]
BUG FIXES:
- auth: Deduplicate policies prior to ACL generation [GH-17914]
- core/quotas (enterprise): Fix a lock contention issue that could occur and cause Vault to become unresponsive when creating, changing, or deleting lease count quotas.
- core: Fix potential deadlock if barrier ciphertext is less than 4 bytes. [GH-17944]
- core: fix a start up race condition where performance standbys could go into a mount loop if default policies are not yet synced from the active node. [GH-17801]
- secrets/azure: add WAL to clean up role assignments if errors occur [GH-18084]
- secrets/gcp: Fixes duplicate service account key for rotate root on standby or secondary [GH-18109]
- ui: fix entity policies list link to policy show page [GH-17950]
BUG FIXES:
- core/managed-keys (enterprise): Return better error messages when encountering key creation failures
- core/managed-keys (enterprise): fix panic when having
cache_disable
true - core: prevent memory leak when using control group factors in a policy [GH-17532]
- core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
- login: Store token in tokenhelper for interactive login MFA [GH-17040]
- secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
- secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
- ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]
SECURITY:
- secrets/pki: Vault’s TLS certificate auth method did not initially load the optionally-configured CRL issued by the role’s CA into memory on startup, resulting in the revocation list not being checked, if the CRL has not yet been retrieved. This vulnerability, CVE-2022-41316, is fixed in Vault 1.12.0, 1.11.4, 1.10.7, and 1.9.10. [HSEC-2022-24]
BUG FIXES:
- auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. [GH-17138]
- core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. [GH-17281]
- core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. [GH-16956]
- identity/oidc: Adds
claims_supported
to discovery document. [GH-16992] - replication (enterprise): Fix data race in SaveCheckpoint()
- secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations.
- secrets/transform (enterprise): Fix persistence problem with tokenization store credentials.
- ui: Fix lease force revoke action [GH-16930]
SECURITY:
- core: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. This vulnerability, CVE-2022-40186, is fixed in 1.11.3, 1.10.6, and 1.9.9. [HSEC-2022-18]
CHANGES:
- core: Bump Go version to 1.17.13.
IMPROVEMENTS:
- identity/oidc: Adds the
client_secret_post
token endpoint authentication method. [GH-16598]
BUG FIXES:
- auth/gcp: Fixes the ability to reset the configuration's credentials to use application default credentials. [GH-16524]
- command/debug: fix bug where monitor was not honoring configured duration [GH-16834]
- core/auth: Return a 403 instead of a 500 for a malformed SSCT [GH-16112]
- core: Increase the allowed concurrent gRPC streams over the cluster port. [GH-16327]
- database: Invalidate queue should cancel context first to avoid deadlock [GH-15933]
- identity/oidc: Change the
state
parameter of the Authorization Endpoint to optional. [GH-16599] - identity/oidc: Detect invalid
redirect_uri
values sooner in validation of the Authorization Endpoint. [GH-16601] - identity/oidc: Fixes validation of the
request
andrequest_uri
parameters. [GH-16600] - secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. [GH-16686]
- secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. [GH-16534]
- storage/raft: Fix retry_join initialization failure [GH-16550]
- ui: Fix OIDC callback to accept namespace flag in different formats [GH-16886]
- ui: Fix issue logging in with JWT auth method [GH-16466]
- ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). [GH-16739]
SECURITY:
- identity/entity: When entity aliases mapped to a single entity share the same alias name, but have different mount accessors, Vault can leak metadata between the aliases. This metadata leak may result in unexpected access if templated policies are using alias metadata for path names. [HCSEC-2022-18]
SECURITY:
- storage/raft: Vault Enterprise (“Vault”) clusters using Integrated Storage expose an unauthenticated API endpoint that could be abused to override the voter status of a node within a Vault HA cluster, introducing potential for future data loss or catastrophic failure. This vulnerability, CVE-2022-36129, was fixed in Vault 1.9.8, 1.10.5, and 1.11.1. [HSEC-2022-15]
CHANGES:
- core/fips: Disable and warn about entropy augmentation in FIPS 140-2 Inside mode [GH-15858]
- core: Bump Go version to 1.17.12.
IMPROVEMENTS:
- core: Add
sys/loggers
andsys/loggers/:name
endpoints to provide ability to modify logging verbosity [GH-16111] - secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]
BUG FIXES:
- agent/template: Fix parsing error for the exec stanza [GH-16231]
- core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
- core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
- core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
- core: Limit SSCT WAL checks on perf standbys to raft backends only [GH-15879]
- plugin/multiplexing: Fix panic when id doesn't exist in connection map [GH-16094]
- secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs [GH-16246]
- storage/raft (enterprise): Prevent unauthenticated voter status with rejoin [GH-16324]
- transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
- ui: Fix issue where metadata tab is hidden even though policy grants access [GH-15824]
- ui: Revert using localStorage in favor of sessionStorage [GH-16169]
- ui: Updated
leasId
toleaseId
in the "Copy Credentials" section of "Generate AWS Credentials" [GH-15685]
CHANGES:
- core: Bump Go version to 1.17.11. [GH-go-ver-1104]
IMPROVEMENTS:
- api/monitor: Add log_format option to allow for logs to be emitted in JSON format [GH-15536]
- auth: Globally scoped Login MFA method Get/List endpoints [GH-15248]
- auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests [GH-15469]
- cli/debug: added support for retrieving metrics from DR clusters if
unauthenticated_metrics_access
is enabled [GH-15316] - command/debug: Add log_format flag to allow for logs to be emitted in JSON format [GH-15536]
- core: Fix some identity data races found by Go race detector (no known impact yet). [GH-15123]
- storage/raft: Use larger timeouts at startup to reduce likelihood of inducing elections. [GH-15042]
- ui: Allow namespace param to be parsed from state queryParam [GH-15378]
BUG FIXES:
- agent: Redact auto auth token from renew endpoints [GH-15380]
- auth/kubernetes: Fix error code when using the wrong service account [GH-15585]
- auth/ldap: The logic for setting the entity alias when
username_as_alias
is set has been fixed. The previous behavior would make a request to the LDAP server to getuser_attr
before discarding it and using the username instead. This would make it impossible for a user to connect if this attribute was missing or had multiple values, even though it would not be used anyway. This has been fixed and the username is now used without making superfluous LDAP searches. [GH-15525] - auth: Fixed erroneous success message when using vault login in case of two-phase MFA [GH-15428]
- auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA [GH-15428]
- auth: Fixed two-phase MFA information missing from table format when using vault login [GH-15428]
- auth: Prevent deleting a valid MFA method ID using the endpoint for a different MFA method type [GH-15482]
- core (enterprise): Fix overcounting of lease count quota usage at startup.
- core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
- core: Prevent metrics generation from causing deadlocks. [GH-15693]
- core: fixed systemd reloading notification [GH-15041]
- mfa/okta: disable client side rate limiting causing delays in push notifications [GH-15369]
- storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
- transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
- ui: Fix inconsistent behavior in client count calendar widget [GH-15789]
- ui: Fixed client count timezone for start and end months [GH-15167]
- ui: fix firefox inability to recognize file format of client count csv export [GH-15364]
SECURITY:
- auth: A vulnerability was identified in Vault and Vault Enterprise (“Vault”) from 1.10.0 to 1.10.2 where MFA may not be enforced on user logins after a server restart. This vulnerability, CVE-2022-30689, was fixed in Vault 1.10.3.
BUG FIXES:
- auth: load login MFA configuration upon restart [GH-15261]
- core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
- core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
BUG FIXES:
- raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
- sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
CHANGES:
- core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
- core: Bump Go version to 1.17.9. [GH-15044]
IMPROVEMENTS:
- agent: Upgrade hashicorp/consul-template version for sprig template functions and improved writeTo function [GH-15092]
- auth: enforce a rate limit for TOTP passcode validation attempts [GH-14864]
- cli/vault: warn when policy name contains upper-case letter [GH-14670]
- cockroachdb: add high-availability support [GH-12965]
- sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
BUG FIXES:
- Fixed panic when adding or modifying a Duo MFA Method in Enterprise
- agent: Fix log level mismatch between ERR and ERROR [GH-14424]
- api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
- api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
- auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
- auth: forward requests subject to login MFA from perfStandby to Active node [GH-15009]
- cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
- cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
- core (enterprise): Allow local alias create RPCs to persist alias metadata [GH-changelog:_2747]
- core/managed-keys (enterprise): Allow PKCS#11 managed keys to use 0 as a slot number
- core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
- core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
- core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
- core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
- core: fixing excessive unix file permissions [GH-14791]
- core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
- core: report unused or redundant keys in server configuration [GH-14752]
- core: time.After() used in a select statement can lead to memory leak [GH-14814]
- raft: Ensure initialMmapSize is set to 0 on Windows [GH-14977]
- replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
- secrets/database: Ensure that a
connection_url
password is redacted in all cases. [GH-14744] - secrets/pki: Fix handling of "any" key type with default zero signature bits value. [GH-14875]
- secrets/pki: Fixed bug where larger SHA-2 hashes were truncated with shorter ECDSA CA certificates [GH-14943]
- ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not excepted in this field. [GH-15046]
- ui: Fixes edit auth method capabilities issue [GH-14966]
- ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-14916]
- ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
- ui: masked values no longer give away length or location of special characters [GH-15025]
CHANGES:
- core (enterprise): requests with newly generated tokens to perf standbys which are lagging behind the active node return http 412 instead of 400/403/50x.
- core: Changes the unit of
default_lease_ttl
andmax_lease_ttl
values returned by the/sys/config/state/sanitized
endpoint from nanoseconds to seconds. [GH-14206] - core: Bump Go version to 1.17.7. [GH-14232]
- plugin/database: The return value from
POST /database/config/:name
has been updated to "204 No Content" [GH-14033] - secrets/azure: Changes the configuration parameter
use_microsoft_graph_api
to use the Microsoft Graph API by default. [GH-14130] - storage/etcd: Remove support for v2. [GH-14193]
- ui: Upgrade Ember to version 3.24 [GH-13443]
FEATURES:
- Database plugin multiplexing: manage multiple database connections with a single plugin process [GH-14033]
- Login MFA: Single and two phase MFA is now available when authenticating to Vault. [GH-14025]
- Mount Migration: Vault supports moving secrets and auth mounts both within and across namespaces.
- Postgres in the UI: Postgres DB is now supported by the UI [GH-12945]
- Report in-flight requests: Adding a trace capability to show in-flight requests, and a new gauge metric to show the total number of in-flight requests [GH-13024]
- Server Side Consistent Tokens: Service tokens have been updated to be longer (a minimum of 95 bytes) and token prefixes for all token types are updated from s., b., and r. to hvs., hvb., and hvr. for service, batch, and recovery tokens respectively. Vault clusters with integrated storage will now have read-after-write consistency by default. [GH-14109]
- Transit SHA-3 Support: Add support for SHA-3 in the Transit backend. [GH-13367]
- Transit Time-Based Key Autorotation: Add support for automatic, time-based key rotation to transit secrets engine, including in the UI. [GH-13691]
- UI Client Count Improvements: Restructures client count dashboard, making use of billing start date to improve accuracy. Adds mount-level distribution and filtering. [GH-client-counts]
- Agent Telemetry: The Vault Agent can now collect and return telemetry information at the
/agent/v1/metrics
endpoint.
IMPROVEMENTS:
- agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. [GH-14214]
- agent: The
agent/v1/quit
endpoint can now be used to stop the Vault Agent remotely [GH-14223] - api: Allow cloning
api.Client
tokens viaapi.Config.CloneToken
orapi.Client.SetCloneToken()
. [GH-13515] - api: Define constants for X-Vault-Forward and X-Vault-Inconsistent headers [GH-14067]
- api: Implements Login method in Go client libraries for GCP and Azure auth methods [GH-13022]
- api: Implements Login method in Go client libraries for LDAP auth methods [GH-13841]
- api: Trim newline character from wrapping token in logical.Unwrap from the api package [GH-13044]
- api: add api method for modifying raft autopilot configuration [GH-12428]
- api: respect WithWrappingToken() option during AppRole login authentication when used with secret ID specified from environment or from string [GH-13241]
- audit: The audit logs now contain the port used by the client [GH-12790]
- auth/aws: Enable region detection in the CLI by specifying the region as
auto
[GH-14051] - auth/cert: Add certificate extensions as metadata [GH-13348]
- auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [GH-13365]
- auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [GH-13595]
- auth/ldap: Add a response warning and server log whenever the config is accessed
if
userfilter
doesn't consideruserattr
[GH-14095] - auth/ldap: Add username to alias metadata [GH-13669]
- auth/ldap: Add username_as_alias configurable to change how aliases are named [GH-14324]
- auth/okta: Update okta-sdk-golang dependency to version v2.9.1 for improved request backoff handling [GH-13439]
- auth/token: The
auth/token/revoke-accessor
endpoint is now idempotent and will not error out if the token has already been revoked. [GH-13661] - auth: reading
sys/auth/:path
now returns the configuration for the auth engine mounted at the given path [GH-12793] - cli: interactive CLI for login mfa [GH-14131]
- command (enterprise): "vault license get" now uses non-deprecated endpoint /sys/license/status
- core/ha: Add new mechanism for keeping track of peers talking to active node, and new 'operator members' command to view them. [GH-13292]
- core/identity: Support updating an alias'
custom_metadata
to be empty. [GH-13395] - core/pki: Support Y10K value in notAfter field to be compliant with IEEE 802.1AR-2018 standard [GH-12795]
- core/pki: Support Y10K value in notAfter field when signing non-CA certificates [GH-13736]
- core: Add duration and start_time to completed requests log entries [GH-13682]
- core: Add support to list password policies at
sys/policies/password
[GH-12787] - core: Add support to list version history via API at
sys/version-history
and via CLI withvault version-history
[GH-13766] - core: Fixes code scanning alerts [GH-13667]
- core: Periodically test the health of connectivity to auto-seal backends [GH-13078]
- core: Reading
sys/mounts/:path
now returns the configuration for the secret engine at the given path [GH-12792] - core: Replace "master key" terminology with "root key" [GH-13324]
- core: Small changes to ensure goroutines terminate in tests [GH-14197]
- core: Systemd unit file included with the Linux packages now sets the service type to notify. [GH-14385]
- core: Update github.com/prometheus/client_golang to fix security vulnerability CVE-2022-21698. [GH-14190]
- core: Vault now supports the PROXY protocol v2. Support for UNKNOWN connections has also been added to the PROXY protocol v1. [GH-13540]
- http (enterprise): Serve /sys/license/status endpoint within namespaces
- identity/oidc: Adds a default OIDC provider [GH-14119]
- identity/oidc: Adds a default key for OIDC clients [GH-14119]
- identity/oidc: Adds an
allow_all
assignment that permits all entities to authenticate via an OIDC client [GH-14119] - identity/oidc: Adds proof key for code exchange (PKCE) support to OIDC providers. [GH-13917]
- sdk: Add helper for decoding root tokens [GH-10505]
- secrets/azure: Adds support for rotate-root. #70 [GH-13034]
- secrets/consul: Add support for consul enterprise namespaces and admin partitions. [GH-13850]
- secrets/consul: Add support for consul roles. [GH-14014]
- secrets/database/influxdb: Switch/upgrade to the
influxdb1-client
module [GH-12262] - secrets/database: Add database configuration parameter 'disable_escaping' for username and password when connecting to a database. [GH-13414]
- secrets/kv: add full secret path output to table-formatted responses [GH-14301]
- secrets/kv: add patch support for KVv2 key metadata [GH-13215]
- secrets/kv: add subkeys endpoint to retrieve a secret's stucture without its values [GH-13893]
- secrets/pki: Add ability to fetch individual certificate as DER or PEM [GH-10948]
- secrets/pki: Add count and duration metrics to PKI issue and revoke calls. [GH-13889]
- secrets/pki: Add error handling for error types other than UserError or InternalError [GH-14195]
- secrets/pki: Allow URI SAN templates in allowed_uri_sans when allowed_uri_sans_template is set to true. [GH-10249]
- secrets/pki: Allow other_sans in sign-intermediate and sign-verbatim [GH-13958]
- secrets/pki: Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2. [GH-11218]
- secrets/pki: Restrict issuance of wildcard certificates via role parameter (
allow_wildcard_certificates
) [GH-14238] - secrets/pki: Return complete chain (in
ca_chain
field) on calls topki/cert/ca_chain
[GH-13935] - secrets/pki: Use application/pem-certificate-chain for PEM certificates, application/x-pem-file for PEM CRLs [GH-13927]
- secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates. [GH-11216]
- secrets/ssh: Add support for generating non-RSA SSH CAs [GH-14008]
- secrets/ssh: Allow specifying multiple approved key lengths for a single algorithm [GH-13991]
- secrets/ssh: Use secure default for algorithm signer (rsa-sha2-256) with RSA SSH CA keys on new roles [GH-14006]
- secrets/transit: Don't abort transit encrypt or decrypt batches on single item failure. [GH-13111]
- storage/aerospike: Upgrade
aerospike-client-go
to v5.6.0. [GH-12165] - storage/raft: Set InitialMmapSize to 100GB on 64bit architectures [GH-13178]
- storage/raft: When using retry_join stanzas, join against all of them in parallel. [GH-13606]
- sys/raw: Enhance sys/raw to read and write values that cannot be encoded in json. [GH-13537]
- ui: Add support for ECDSA and Ed25519 certificate views [GH-13894]
- ui: Add version diff view for KV V2 [GH-13000]
- ui: Added client side paging for namespace list view [GH-13195]
- ui: Adds flight icons to UI [GH-12976]
- ui: Adds multi-factor authentication support [GH-14049]
- ui: Allow static role credential rotation in Database secrets engines [GH-14268]
- ui: Display badge for all versions in secrets engine header [GH-13015]
- ui: Swap browser localStorage in favor of sessionStorage [GH-14054]
- ui: The integrated web terminal now accepts both
-f
and--force
as aliases for-force
for thewrite
command. [GH-13683] - ui: Transform advanced templating with encode/decode format support [GH-13908]
- ui: Updates ember blueprints to glimmer components [GH-13149]
- ui: customizes empty state messages for transit and transform [GH-13090]
BUG FIXES:
- Fixed bug where auth method only considers system-identity when multiple identities are available. #50 [GH-14138]
- activity log (enterprise): allow partial monthly client count to be accessed from namespaces [GH-13086]
- agent: Fixes bug where vault agent is unaware of the namespace in the config when wrapping token
- api/client: Fixes an issue where the
replicateStateStore
was being set tonil
upon consecutive calls toclient.SetReadYourWrites(true)
. [GH-13486] - auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [GH-13235]
- auth/approle: Fix wrapping of nil errors in
login
endpoint [GH-14107] - auth/github: Use the Organization ID instead of the Organization name to verify the org membership. [GH-13332]
- auth/kubernetes: Properly handle the migration of role storage entries containing an empty
alias_name_source
[GH-13925] - auth/kubernetes: ensure valid entity alias names created for projected volume tokens [GH-14144]
- auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and
form_post
response mode. [GH-13492] - cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [GH-13615]
- core (enterprise): Fix a data race in logshipper.
- core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
- core/api: Fix overwriting of request headers when using JSONMergePatch. [GH-14222]
- core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13093]
- core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13476]
- core/token: Fix null token panic from 'v1/auth/token/' endpoints and return proper error response. [GH-13233]
- core/token: Fix null token_type panic resulting from 'v1/auth/token/roles/{role_name}' endpoint [GH-13236]
- core: Fix warnings logged on perf standbys re stored versions [GH-13042]
- core:
-output-curl-string
now properly sets cURL options for client and CA certificates. [GH-13660] - core: add support for go-sockaddr templates in the top-level cluster_addr field [GH-13678]
- core: authentication to "login" endpoint for non-existent mount path returns permission denied with status code 403 [GH-13162]
- core: revert some unintentionally downgraded dependencies from 1.9.0-rc1 [GH-13168]
- ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
- http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
- http:Fix /sys/monitor endpoint returning streaming not supported [GH-13200]
- identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [GH-13871]
- identity/oidc: Check for a nil signing key on rotation to prevent panics. [GH-13716]
- identity/oidc: Fixes inherited group membership when evaluating client assignments [GH-14013]
- identity/oidc: Fixes potential write to readonly storage on performance secondary clusters during key rotation [GH-14426]
- identity/oidc: Make the
nonce
parameter optional for the Authorization Endpoint of OIDC providers. [GH-13231] - identity/token: Fixes a bug where duplicate public keys could appear in the .well-known JWKS [GH-14543]
- identity: Fix possible nil pointer dereference. [GH-13318]
- identity: Fix regression preventing startup when aliases were created pre-1.9. [GH-13169]
- identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [GH-13298]
- kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
- licensing (enterprise): Revert accidental inclusion of the TDE feature from the
prem
build. - metrics/autosnapshots (enterprise) : Fix bug that could cause vault.autosnapshots.save.errors to not be incremented when there is an autosnapshot save error.
- physical/mysql: Create table with wider
vault_key
column when initializing database tables. [GH-14231] - plugin/couchbase: Fix an issue in which the locking patterns did not allow parallel requests. [GH-13033]
- replication (enterprise): When using encrypted secondary tokens, only clear the private key after a successful connection to the primary cluster
- sdk/framework: Generate proper OpenAPI specs for path patterns that use an alternation as the root. [GH-13487]
- sdk/helper/ldaputil: properly escape a trailing escape character to prevent panics. [GH-13452]
- sdk/queue: move lock before length check to prevent panics. [GH-13146]
- sdk: Fixes OpenAPI to distinguish between paths that can do only List, or both List and Read. [GH-13643]
- secrets/azure: Fixed bug where Azure environment did not change Graph URL [GH-13973]
- secrets/azure: Fixes service principal generation when assigning roles that have DataActions. [GH-13277]
- secrets/azure: Fixes the rotate root
operation for upgraded configurations with a
root_password_ttl
of zero. [GH-14130] - secrets/database/cassandra: change connect_timeout to 5s as documentation says [GH-12443]
- secrets/database/mssql: Accept a boolean for
contained_db
, rather than just a string. [GH-13469] - secrets/gcp: Fixed bug where error was not reported for invalid bindings [GH-13974]
- secrets/gcp: Fixes role bindings for BigQuery dataset resources. [GH-13548]
- secrets/openldap: Fix panic from nil logger in backend [GH-14171]
- secrets/pki: Default value for key_bits changed to 0, enabling key_type=ec key generation with default value [GH-13080]
- secrets/pki: Fix issuance of wildcard certificates matching glob patterns [GH-14235]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-13759]
- secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-2456]
- secrets/pki: Fixes around NIST P-curve signature hash length, default value for signature_bits changed to 0. [GH-12872]
- secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [GH-13257]
- secrets/pki: Skip signature bits validation for ed25519 curve key type [GH-13254]
- secrets/transit: Ensure that Vault does not panic for invalid nonce size when we aren't in convergent encryption mode. [GH-13690]
- secrets/transit: Return an error if any required parameter is missing. [GH-14074]
- storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
- storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
- storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [GH-13703]
- storage/raft: Fix regression in 1.9.0-rc1 that changed how time is represented in Raft logs; this prevented using a raft db created pre-1.9. [GH-13165]
- storage/raft: On linux, use map_populate for bolt files to improve startup time. [GH-13573]
- storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [GH-13749]
- ui: Adds pagination to auth methods list view [GH-13054]
- ui: Do not show verify connection value on database connection config page [GH-13152]
- ui: Fix client count current month data not showing unless monthly history data exists [GH-13396]
- ui: Fix default TTL display and set on database role [GH-14224]
- ui: Fix incorrect validity message on transit secrets engine [GH-14233]
- ui: Fix issue where UI incorrectly handled API errors when mounting backends [GH-14551]
- ui: Fix kv engine access bug [GH-13872]
- ui: Fixes breadcrumb bug for secrets navigation [GH-13604]
- ui: Fixes caching issue on kv new version create [GH-14489]
- ui: Fixes displaying empty masked values in PKI engine [GH-14400]
- ui: Fixes horizontal bar chart hover issue when filtering namespaces and mounts [GH-14493]
- ui: Fixes issue logging out with wrapped token query parameter [GH-14329]
- ui: Fixes issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
- ui: Fixes issue restoring raft storage snapshot [GH-13107]
- ui: Fixes issue saving KMIP role correctly [GH-13585]
- ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
- ui: Fixes issue with SearchSelect component not holding focus [GH-13590]
- ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [GH-13177]
- ui: Fixes issue with correct auth method not selected when logging out from OIDC or JWT methods [GH-14545]
- ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [GH-13166]
- ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]
- ui: Fixes long secret key names overlapping masked values [GH-13032]
- ui: Fixes node-forge error when parsing EC (elliptical curve) certs [GH-13238]
- ui: Redirects to managed namespace if incorrect namespace in URL param [GH-14422]
- ui: Removes ability to tune token_type for token auth methods [GH-12904]
- ui: trigger token renewal if inactive and half of TTL has passed [GH-13950]