SECURITY:
- default Policy Privilege Escalation: If a parent token did not have
the default policy attached to its token, it could still create
children with the default policy. This is no longer allowed (unless
the parent has sudo capability for the creation path). In most cases
this is low severity since the access grants in the default policy are
meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
using limited-use tokens to create leased secrets, if the
limited-use token was revoked due to running out of uses (rather than
due to TTL expiration or explicit revocation) it would fail to revoke
the leased secrets. These secrets would still be revoked when their
TTL expired, limiting the severity of this issue. An endpoint has been
added (auth/token/tidy) that can perform housekeeping tasks on the
token store; one of its tasks can detect this situation and revoke the
associated leases.
FEATURES:
- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
creating, and editing policies.
IMPROVEMENTS:
- http: Vault now sets a no-store cache control header to make it more
secure in setups that are not end-to-end encrypted
BUG FIXES:
- auth/ldap: Don't panic if dialing returns an error and starttls is
enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
form so a browser refresh isn't required to continue.
0.6.3 (December 6, 2016)
DEPRECATIONS/CHANGES:
- Request size limitation: A maximum request size of 32MB is imposed
to prevent a denial of service attack with arbitrarily large
requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
when existing LDAP mounts are rewritten, passwordless binds will be
denied by default. The new deny_null_bind parameter can be set to
false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
new Vault node was taking over service in an HA cluster, all audit
backends were required to be loaded successfully to take over active
duty. This behavior now matches the behavior of the audit logging
system itself: at least one audit backend must successfully be loaded.
The server log contains an error when this occurs. This helps keep a
Vault HA cluster working when there is a misconfiguration on a standby
node.
FEATURES:
- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
that offers access to a number of features, including
init/unsealing/sealing, authentication via userpass or LDAP, and K/V
reading/writing. The capability set of the UI will be expanding
rapidly in further releases. To enable it, set ui = true in the top
level of Vault's configuration file and point a web browser at your
Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
storing Vault data
IMPROVEMENTS:
- auth/github: Policies can now be assigned to users as well as to
teams
- cli: Set the number of retries on 500 down to 0 by default (no
retrying). It can be very confusing to users when there is a pause
while the retries happen if they haven't explicitly set it. With
request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys
BUG FIXES:
- api/unwrap, command/unwrap: Increase compatibility of unwrap command
with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
before the command returns
- cli: Fix error printing values with -field if the values contained
formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
failure
- secret/consul: Fix panic on user error
DEPRECATIONS/CHANGES:
- Convergent Encryption v2: New keys in transit using convergent mode will
use a new nonce derivation mechanism rather than require the user to
supply a nonce. While not explicitly increasing security, it minimizes the
likelihood that a user will use the mode improperly and impact the security
of their keys. Keys in convergent mode that were created in v0.6.1 will
continue to work with the same mechanism (user-supplied nonce).
- etcd HA off by default: Following in the footsteps of dynamodb, the etcd
storage backend now requires that ha_enabled be explicitly specified in
the configuration file. The backend currently has known broken HA behavior,
so this flag discourages use by default without explicitly enabling it. If
you are using this functionality, when upgrading, you should set ha_enabled
to "true" before starting the new versions of Vault.
- Default/Max lease/token TTLs are now 32 days: In previous versions of
Vault the default was 30 days, but moving it to 32 days allows some
operations (e.g. reauthenticating, renewing, etc.) to be performed via a
monthly cron job.
- AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are
no longer part of request URLs. The GET and DELETE operations are now
moved to new endpoints (/lookup and /destroy) which consumes the input from
the body and not the URL.
- AppRole requires at least one constraint: previously it was sufficient to
turn off all AppRole authentication constraints (secret ID, CIDR block)
and use the role ID only. It is now required that at least one additional
constraint is enabled. Existing roles are unaffected, but any new roles or
updated roles will require this.
- Reading wrapped responses from cubbyhole/response is deprecated. The
sys/wrapping/unwrap endpoint should be used instead as it provides
additional security, auditing, and other benefits. The ability to read
directly will be removed in a future release.
- Request Forwarding is now on by default: in 0.6.1 this required toggling
on, but is now enabled by default. This can be disabled via the
"disable_clustering" parameter in Vault's config, or per-request with the
X-Vault-No-Request-Forwarding header.
- In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2
authentication backend to actually use the instance profile ARN. This has
been corrected, but as a result there is a behavior change. To match using
the instance profile ARN, a new parameter bound_iam_instance_profile_arn has
been added. Existing roles will automatically transfer the value over to the
correct parameter, but the next time the role is updated, the new meanings
will take effect.
FEATURES:
- Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an
approle can now specify a list of CIDR blocks from where the requests to
generate secret IDs should originate from. If an approle already has CIDR
restrictions specified, the CIDR restrictions on the secret ID should be a
subset of those specified on the role [GH-1910]
- Initial Root Token PGP Encryption: Similar to generate-root, the root
token created at initialization time can now be PGP encrypted [GH-1883]
- Support Chained Intermediate CAs in pki: The pki backend now allows, when
a CA cert is being supplied as a signed root or intermediate, a trust
chain of arbitrary length. The chain is returned as a parameter at
certificate issue/sign time and is retrievable independently as well.
[GH-1694]
- Response Wrapping Enhancements: There are new endpoints to look up
response wrapped token parameters; wrap arbitrary values; rotate wrapping
tokens; and unwrap with enhanced validation. In addition, list operations
can now be response-wrapped. [GH-1927]
- Transit features: The transit backend now supports generating random bytes
and SHA sums; HMACs; and signing and verification functionality using EC
keys (P-256 curve)
IMPROVEMENTS:
- api: Return error when an invalid (as opposed to incorrect) unseal key is
submitted, rather than ignoring it [GH-1782]
- api: Add method to call auth/token/create-orphan endpoint [GH-1834]
- api: Rekey operation now redirects from standbys to master [GH-1862]
- audit/file: Sending a SIGHUP to Vault now causes Vault to close and
re-open the log file, making it easier to rotate audit logs [GH-1953]
- auth/aws-ec2: EC2 instances can get authenticated by presenting the
identity document and its SHA256 RSA digest [GH-1961]
- auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a
prefix match instead of exact match [GH-1943]
- auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to
refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
- auth/aws-ec2: Backend generates the nonce by default and clients can
explicitly disable reauthentication by setting empty nonce [GH-1889]
- auth/token: Added warnings if tokens and accessors are used in URLs
[GH-1806]
- command/format: The format flag on select CLI commands takes yml as an
alias for yaml [GH-1899]
- core: Allow the size of the read cache to be set via the config file, and
change the default value to 1MB (from 32KB) [GH-1784]
- core: Allow single and two-character path parameters for most places
[GH-1811]
- core: Allow list operations to be response-wrapped [GH-1814]
- core: Provide better protection against timing attacks in Shamir code
[GH-1877]
- core: Unmounting/disabling backends no longer returns an error if the
mount didn't exist. This is line with elsewhere in Vault's API where
DELETE is an idempotent operation. [GH-1903]
- credential/approle: At least one constraint is required to be enabled
while creating and updating a role [GH-1882]
- secret/cassandra: Added consistency level for use with roles [GH-1931]
- secret/mysql: SQL for revoking user can be configured on the role
[GH-1914]
- secret/transit: Use HKDF (RFC 5869) as the key derivation function for new
keys [GH-1812]
- secret/transit: Empty plaintext values are now allowed [GH-1874]
BUG FIXES:
- audit: Fix panic being caused by some values logging as underlying Go
types instead of formatted strings [GH-1912]
- auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
- auth/approle: Not letting secret IDs and secret ID accessors to get logged
in plaintext in audit logs [GH-1947]
- auth/aws-ec2: Allow authentication if the underlying host is in a bad
state but the instance is running [GH-1884]
- auth/token: Fixed metadata getting missed out from token lookup response
by gracefully handling token entry upgrade [GH-1924]
- cli: Don't error on newline in token file [GH-1774]
- core: Pass back content-type header for forwarded requests [GH-1791]
- core: Fix panic if the same key was given twice to generate-root [GH-1827]
- core: Fix potential deadlock on unmount/remount [GH-1793]
- physical/file: Remove empty directories from the file storage backend
[GH-1821]
- physical/zookeeper: Remove empty directories from the zookeeper storage
backend and add a fix to the file storage backend's logic [GH-1964]
- secret/aws: Added update operation to aws/sts path to consider ttl
parameter [39b75c6]
- secret/aws: Mark STS secrets as non-renewable [GH-1804]
- secret/cassandra: Properly store session for re-use [GH-1802]
- secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]
0.6.1 (August 22, 2016)
DEPRECATIONS/BREAKING CHANGES:
- Once the active node is 0.6.1, standby nodes must also be 0.6.1
in order to connect to the HA cluster.
- Status codes for sealed/uninitialized Vaults have changed to
503/501 respectively.
- Root tokens (tokens with the root policy) can no longer be
created except by another root token or the generate-root
endpoint.
- Issued certificates from the pki backend against new roles
created or modified after upgrading will contain a set of
default key usages.
- The dynamodb physical data store no longer supports HA by
default.
- The ldap backend no longer searches for memberOf groups as part
of its normal flow. Instead, the desired group filter must be
specified.
- app-id is now deprecated with the addition of the new AppRole
backend.
FEATURES:
- AppRole Authentication Backend: The approle backend is a
machine-oriented authentication backend that provides a similar
concept to App-ID while adding many missing features, including a
pull model that allows for the backend to generate authentication
credentials rather than requiring operators or other systems to
push credentials in.
- Request Forwarding: Vault servers can now forward requests to
each other rather than redirecting clients. This feature is off
by default in 0.6.1 but will be on by default in the next release.
- Convergent Encryption in Transit: The transit backend now
supports a convergent encryption mode where the same plaintext
will produce the same ciphertext.
- Improved LDAP Group Filters: The ldap auth backend now uses
templates to define group filters, providing the capability to
support some directories that could not easily be supported before
(especially specific Active Directory setups with nested groups).
- Key Usage Control in PKI: Issued certificates from roles created
or modified after upgrading contain a set of default key usages
for increased compatibility with OpenVPN and some other software.
- Request Retrying in the CLI and Go API: Requests that fail with
a 5xx error code will now retry after a backoff. The maximum
total number of retries (including disabling this functionality)
can be set with an environment variable.
- Service Discovery in vault init: The new -auto option on vault
init will perform service discovery using Consul.
- MongoDB Secret Backend: Generate dynamic unique MongoDB database
credentials based on configured roles.
- Circonus Metrics Integration: Vault can now send metrics to
Circonus.
IMPROVEMENTS:
- audit: Added a unique identifier to each request which will also
be found in the request portion of the response.
- auth/aws-ec2: Added a new constraint bound_account_id to the
role
- auth/aws-ec2: Added a new constraint bound_iam_role_arn to the
role
- auth/aws-ec2: Added ttl field for the role
- auth/ldap, secret/cassandra, physical/consul: Clients with
tls.Config have the minimum TLS version set to 1.2 by default.
- auth/token: Added endpoint to list accessors
- auth/token: Added disallowed_policies option to token store
roles
- auth/token: root or sudo tokens can now create periodic tokens
via auth/token/create; additionally, the same token can now be
periodic and have an explicit max TTL
- build: Add support for building on Solaris/Illumos
- cli: Output formatting in the presence of warnings in the
response object
- cli: vault auth command supports a -path option to take in the
path at which the auth backend is enabled, thereby allowing
authenticating against different paths using the command options
- cli: vault auth -methods will now display the config settings of
the mount
- cli: vault read/write/unwrap -field now allows selecting token
response fields
- cli: vault write -field now allows selecting wrapped response
fields
- command/status: Version information and cluster details added to
the output of vault status command
- core: Response wrapping is now enabled for login endpoints
- core: The duration of leadership is now exported via events
through telemetry
- core: sys/capabilities-self is now accessible as part of the
default policy
- core: sys/renew is now accessible as part of the default policy
- core: Unseal keys will now be returned in both hex and base64
forms, and either can be used
- core: Responses from most /sys endpoints now return normal
api.Secret structs in addition to the values they carried
before.
- physical/etcd: Support ETCD_ADDR env var for specifying
addresses
- physical/consul: Allowing additional tags to be added to Consul
service registration via service_tags option
- secret/aws: Listing of roles is supported now
- secret/cassandra: Add connect_timeout value for Cassandra
connection configuration
- secret/mssql,mysql,postgresql: Reading of connection settings is
supported in all the sql backends
- secret/mysql: Added optional maximum idle connections value to
MySQL connection configuration
- secret/mysql: Use a combination of the role name and token
display name in generated user names and allow the length to be
controlled
- secret/{cassandra,mssql,mysql,postgresql}: SQL statements can
now be passed in via one of four ways: a semicolon-delimited
string, a base64-delimited string, a serialized JSON string array,
or a base64-encoded serialized JSON string array
- secret/ssh: Added allowed_roles to vault-ssh-helper's config and
returning role name as part of response of verify API
- secret/ssh: Added passthrough of command line arguments to ssh
- sys/health: Added version information to the response of health
status endpoint
- sys/health: Cluster information isbe returned as part of health
status when Vault is unsealed
- sys/mounts: MountTable data is compressed before serializing to
accommodate thousands of mounts
- website: The token concepts page has been completely rewritten
BUG FIXES:
- auth/aws-ec2: Added a nil check for stored whitelist identity
object during renewal
- auth/cert: Fix panic if no client certificate is supplied
- auth/token: Don't report that a non-expiring root token is
renewable, as attempting to renew it results in an error
- cli: Don't retry a command when a redirection is received
- core: Fix regression causing status codes to be 400 in most
non-5xx error cases
- core: Fix panic that could occur during a leadership transition
- physical/postgres: Remove use of prepared statements as this
causes connection multiplexing software to break
- physical/consul: Multiple Vault nodes on the same machine
leading to check ID collisions were resulting in incorrect
health check responses
- physical/consul: Fix deregistration of health checks on exit
- secret/postgresql: Check for existence of role before attempting
deletion
- secret/postgresql: Handle revoking roles that have privileges on
sequences
- secret/postgresql(,mysql,mssql): Fix incorrect use of database
over transaction object which could lead to connection
exhaustion
- secret/pki: Fix parsing CA bundle containing trailing whitespace
- secret/pki: Fix adding email addresses as SANs
- secret/pki: Ensure that CRL values are always UTC, per RFC
- sys/seal-status: Fixed nil Cluster object while checking seal
status
0.6.0 (June 14th, 2016)
SECURITY:
Although sys/revoke-prefix was intended to revoke prefixes of
secrets (via lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens
(using the tokens' paths and, since 0.5.2, role information), in
implementation they both behaved exactly the same way since a
single component in Vault is responsible for managing lifetimes of
both, and the type of the tracked lifetime was not being checked.
The end result was that either endpoint could revoke both secret
leases and tokens. We consider this a very minor security issue as
there are a number of mitigating factors: both endpoints require
sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using
the prefix to revoke as a part of the endpoint path, allowing them
to be properly ACL'd; and both are intended for emergency
scenarios and users should already not generally have access to
either one. In order to prevent confusion, we have simply removed
auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be
meant for both leases and tokens instead.
DEPRECATIONS/BREAKING CHANGES:
- auth/token/revoke-prefix has been removed. See the security
notice for details.
- Vault will now automatically register itself as the vault
service when using the consul backend and will perform its own
health checks.
- List operations that do not find any keys now return a 404
status code rather than an empty response object
- CA certificates issued from the pki backend no longer have
associated leases, and any CA certs already issued will ignore
revocation requests from the lease manager.
FEATURES:
- AWS EC2 Auth Backend: Provides a secure introduction mechanism
for AWS EC2 instances allowing automated retrieval of Vault
tokens.
- Response Wrapping: Nearly any response within Vault can now be
wrapped inside a single-use, time-limited token's cubbyhole,
taking the Cubbyhole Authentication Principles mechanism to its
logical conclusion.
- Azure Physical Backend: You can now use Azure blob object
storage as your Vault physical data store
- Swift Physical Backend: You can now use Swift blob object
storage as your Vault physical data store
- Consul Backend Health Checks: The Consul backend will
automatically register a vault service and perform its own
health checking.
- Explicit Maximum Token TTLs: You can now set explicit maximum
TTLs on tokens that do not honor changes in the system- or
mount-set values.
- Non-Renewable Tokens: When creating tokens directly through the
token authentication backend, you can now specify in both token
store roles and the API whether or not a token should be
renewable, defaulting to true.
- RabbitMQ Secret Backend: Vault can now generate credentials for
RabbitMQ. Vhosts and tags can be defined within roles.
IMPROVEMENTS:
- audit: Add the DisplayName value to the copy of the Request
object embedded in the associated Response, to match the
original Request object
- audit: Enable auditing of the seal and step-down commands
- backends: Remove most root/sudo paths in favor of normal ACL
mechanisms.
- command/auth: Restore the previous authenticated token if the
auth command fails to authenticate the provided token
- command/write: -format and -field can now be used with the write
command
- core: Add mlock support for FreeBSD, OpenBSD, and Darwin
- core: Don't keep lease timers around when tokens are revoked
- core: If using the disable_cache option, caches for the policy
store and the transit backend are now disabled as well
- credential/cert: Renewal requests are rejected if the set of
policies has changed since the token was issued
- credential/cert: Check CRLs for specific non-CA certs configured
in the backend
- credential/ldap: If groupdn is not configured, skip searching
LDAP and only return policies for local groups, plus a warning
- credential/ldap: vault list support for users and groups
- credential/ldap: Support for the memberOf attribute for group
membership searching
- credential/userpass: Add list support for users
- credential/userpass: Remove user configuration paths from
requiring sudo, in favor of normal ACL mechanisms
- credential/token: Sanitize policies and add default policies in
appropriate places
- credential/token: Setting the renewable status of a token is now
possible via vault token-create and the API.
- secret/aws: Use chain credentials to allow environment/EC2
instance/shared providers
- secret/aws: Support for STS AssumeRole functionality
- secret/consul: Reading consul access configuration supported.
- secret/pki: Added exclude_cn_from_sans field to prevent adding
the CN to DNS or Email Subject Alternate Names
- secret/pki: Added list support for certificates
- sys/capabilities: Enforce ACL checks for requests that query the
capabilities of a token on a given path
- sys/health: Status information can now be retrieved with HEAD
BUG FIXES:
- command/read: Fix panic when using -field with a non-string
value
- command/token-lookup: Fix TTL showing as 0 depending on how a
token was created.
- command/various: Tell the JSON decoder to not convert all
numbers to floats; fixes some various places where numbers were
showing up in scientific notation
- command/server: Prioritized devRootTokenID and devListenAddress
flags over their respective env vars
- command/ssh: Provided option to disable host key checking.
- core: Properly persist mount-tuned TTLs for auth backends
- core: Don't accidentally crosswire SIGINT to the reload handler
- credential/github: Make organization comparison case-insensitive
during login
- credential/github: Fix panic when renewing a token created with
some earlier versions of Vault
- credential/github: The token used to log in via vault auth can
now be specified in the VAULT_AUTH_GITHUB_TOKEN environment
variable
- credential/ldap: Fix problem where certain error conditions when
configuring or opening LDAP connections would cause a panic
instead of return a useful error message
- credential/token: Fall back to normal parent-token semantics if
allowed_policies is empty for a role.
- credential/token: Fix issues renewing tokens when using the
"suffix" capability of token roles
- credential/token: Fix lookup via POST showing the request token
instead of the desired token
- credential/various: Fix renewal conditions when default policy
is not contained in the backend config
- physical/s3: Don't panic in certain error cases from bad S3
responses
- secret/consul: Use non-pooled Consul API client to avoid leaving
files open
- secret/pki: Don't check whether a certificate is destined to be
a CA certificate if sign-verbatim endpoint is used
0.5.3 (May 27th, 2016)
SECURITY:
Consul ACL Token Revocation: An issue was reported to us
indicating that generated Consul ACL tokens were not being
properly revoked. Upon investigation, we found that this behavior
was reproducible in a specific scenario: when a generated lease
for a Consul ACL token had been renewed prior to revocation. In
this case, the generated token was not being properly persisted
internally through the renewal function, leading to an error
during revocation due to the missing token. Unfortunately, this
was coded as a user error rather than an internal error, and the
revocation logic was expecting internal errors if revocation
failed. As a result, the revocation logic believed the revocation
to have succeeded when it in fact failed, causing the lease to be
dropped while the token was still valid within Consul. In this
release, the Consul backend properly persists the token through
renewals, and the revocation logic has been changed to consider
any error type to have been a failure to revoke, causing the lease
to persist and attempt to be revoked later.
Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.
fhajny
bsiegert