CVE-2023-0665 : What You Need to Know
CVE-2023-0665: Published by HashiCorp on March 30, 2023. This vulnerability in HashiCorp Vault could allow denial of service. Learn more about the impact and mitigation steps.
This CVE-2023-0665 was published by HashiCorp on March 30, 2023. It pertains to a vulnerability in HashiCorp Vault where the PKI mount issuer endpoints failed to correctly authorize access to modify issuer metadata, potentially allowing denial of service to the PKI mount. This issue did not affect public or private key material, trust chains, or certificate issuance. The vulnerability has been resolved in Vault versions 1.13.1, 1.12.5, and 1.11.9.
Understanding CVE-2023-0665
This section delves deeper into the details of the CVE-2023-0665 vulnerability affecting HashiCorp Vault.
What is CVE-2023-0665?
The vulnerability in HashiCorp Vault allowed unauthorized access to modify issuer metadata, leading to potential denial of service in the PKI mount. However, it did not impact key materials, trust chains, or certificate issuance.
The Impact of CVE-2023-0665
The impact of this vulnerability could result in denial of service to the PKI mount, affecting the availability of the service. It poses a medium risk with a base severity rating of 6.5 according to the CVSS v3.1 scoring system.
Technical Details of CVE-2023-0665
This section elaborates on the technical aspects of the CVE-2023-0665 vulnerability within HashiCorp Vault.
Vulnerability Description
The vulnerability in Vault's PKI mount issuer endpoints allowed unauthorized access to modify issuer metadata, potentially leading to denial of service. The issue was resolved in versions 1.13.1, 1.12.5, and 1.11.9 of HashiCorp Vault.
Affected Systems and Versions
The affected products include HashiCorp Vault and Vault Enterprise running on various platforms such as Windows, MacOS, Linux, x86, ARM, 64 bit, and 32 bit. The vulnerability impacted versions 1.13.0, 1.12.0, and 1.11.0, with fixes implemented in versions 1.13.1, 1.12.5, and 1.11.9.
Exploitation Mechanism
The exploitation of this vulnerability could allow unauthorized users to manipulate issuer metadata, potentially causing denial of service to the PKI mount within HashiCorp Vault.
Mitigation and Prevention
To address and prevent the CVE-2023-0665 vulnerability in HashiCorp Vault, the following measures can be taken:
Immediate Steps to Take
- Upgrade affected HashiCorp Vault instances to versions 1.13.1, 1.12.5, or 1.11.9 where the vulnerability has been fixed.
- Review and adjust access controls for issuer metadata to prevent unauthorized modifications.
Long-Term Security Practices
- Regularly update and patch HashiCorp Vault to the latest versions to ensure all security vulnerabilities are addressed promptly.
- Implement secure configuration practices and restrict access to critical components within Vault to authorized personnel only.
Patching and Updates
HashiCorp has released patches in versions 1.13.1, 1.12.5, and 1.11.9 to address the CVE-2023-0665 vulnerability. It is recommended to apply these patches promptly to secure the affected systems.