VDB

HCSEC-2023-30

HCSEC-2023-30 PUBLISHED

**Bulletin ID:** HCSEC-2023-30 **Affected Products / Versions:** Vault and Vault Enterprise since 0.10; fixed in 1.13.0. **Publication Date:** September 28, 2023 **Summary** The Vault and Vault Enterprise (“Vault”) Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. This vulnerability, CVE-2023-5077, was fixed in Vault 1.13.0. *For this retroactive bulletin, the Vault 1.13 fix for this issue has already been inherited by Vault 1.14 and 1.15 releases.* **Background** The [Google Cloud secrets engine](https://developer.hashicorp.com/vault/docs/secrets/gcp) allows Vault to provision dynamic IAM credentials for accessing Google Cloud environments. Google Cloud [IAM Conditions](https://cloud.google.com/iam/docs/conditions-overview) allow an operator to define conditions to grant access to resources. A [roleset](https://developer.hashicorp.com/vault/docs/secrets/gcp#rolesets) consists of a Vault managed Google Cloud service account along with a set of IAM bindings, possibly including IAM conditions, defined for that service account. **Details** It was discovered that when creating or updating a roleset, Vault did not copy existing conditions to the newly-created IAM policy binding object, resulting in existing IAM conditions no longer being enforced for that roleset. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.13.0, or newer. Please refer to [Upgrading Vault](https://learn.hashicorp.com/tutorials/vault/sop-upgrade?in=vault/standard-procedures) for general guidance and version-specific upgrade notes. **Acknowledgement** This issue was identified by a third party who [reported it](https://github.com/hashicorp/vault-plugin-secrets-gcp/issues/113) and [provided a fix](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/114) to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Sep 28, 2023 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›