HCSEC-2021-30

**Bulletin ID:** HCSEC-2021-30 **Affected Products / Versions:** Vault and Vault Enterprise 0.11.0 through 1.7.5 and 1.8.4; fixed in 1.7.6, 1.8.5 and 1.9.0. **Publication Date:** November 18, 2021 **Summary** Vault and Vault Enterprise (“Vault”) templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0. **Background** Vault’s identity secrets engine is the identity management solution for Vault. It has the concept of entities which may have aliases for each mount accessor they use. Vault generally expects a single alias per entity and authentication backend. There is additional information regarding these entity and alias concepts in Vault’s [Identity Secrets Engine documentation](https://www.vaultproject.io/docs/secrets/identity), and the [Identity: Entities and Groups tutorial](https://learn.hashicorp.com/tutorials/vault/identity). Additional information regarding templated ACL policies can be found in the [Templated Policies documentation](https://www.vaultproject.io/docs/concepts/policies#templated-policies), and the [ACL Policy Path Templating tutorial](https://learn.hashicorp.com/tutorials/vault/policy-templating). **Details** An external party reported that it was possible for a single entity to have multiple entity aliases for a same entity and mount combination when using templated ACL policies. It was observed that such cases may result in incorrect policies being applied; permissions of the first-created entity alias continue to be enforced, but will also be enforced for the newly-created alias. As of 1.7.6, 1.8.5, and 1.9.0, Vault will now prevent the creation of new entity aliases if one already exists for a given entity and mount combination. Vault will also provide a warning to operators on startup, should multiple entity aliases exist for the same entity and mount combination: `One or more entities have multiple aliases on the same mount(s), remove duplicates to avoid ACL templating issues`. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault or Vault Enterprise 1.7.6, 1.8.5, or 1.9.0. Please refer to [Upgrading Vault](https://www.vaultproject.io/docs/upgrading) for general guidance and version-specific upgrade notes. **Acknowledgement** This issue was identified by Christian Baumann and Nick Triller who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*