Vault v1.9.4 Release Notes

  • March 3, 2022

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ”ง secrets/pki: Vault and Vault Enterprise (โ€œVaultโ€) allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. This vulnerability, CVE-2022-25243, was fixed in Vault 1.8.9 and 1.9.4.
    • ๐Ÿ”ง transform (enterprise): Vault Enterprise (โ€œVaultโ€) clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise 1.7.10, 1.8.9, and 1.9.4.

    ๐Ÿ”„ CHANGES:

    • secrets/azure: Changes the configuration parameter use_microsoft_graph_api to use the Microsoft 0๏ธโƒฃ Graph API by default. [GH-14130]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • core: Bump Go version to 1.17.7. [GH-14232]
    • secrets/pki: Restrict issuance of wildcard certificates via role parameter (allow_wildcard_certificates) [GH-14238]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ›  Fixed bug where auth method only considers system-identity when multiple identities are available. #50 [GH-14138]
    • auth/kubernetes: Properly handle the migration of role storage entries containing an empty alias_name_source [GH-13925]
    • auth/kubernetes: ensure valid entity alias names created for projected volume tokens [GH-14144]
    • ๐Ÿ‘ identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [GH-13871]
    • ๐Ÿ›  identity/oidc: Fixes inherited group membership when evaluating client assignments [GH-14013]
    • ๐Ÿ›  secrets/azure: Fixed bug where Azure environment did not change Graph URL [GH-13973]
    • ๐Ÿ›  secrets/azure: Fixes the rotate root operation for upgraded configurations with a root_password_ttl of zero. [GH-14130]
    • ๐Ÿ›  secrets/gcp: Fixed bug where error was not reported for invalid bindings [GH-13974]
    • secrets/openldap: Fix panic from nil logger in backend [GH-14171]
    • secrets/pki: Fix issuance of wildcard certificates matching glob patterns [GH-14235]
    • storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [GH-13703]
    • 0๏ธโƒฃ ui: Fix default TTL display and set on database role [GH-14224]
    • ๐Ÿ’ป ui: Fix incorrect validity message on transit secrets engine [GH-14233]
    • ๐Ÿ’ป ui: Fix kv engine access bug [GH-13872]
    • ๐Ÿ’ป ui: Fix issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
    • ๐Ÿ’ป ui: Trigger background token self-renewal if inactive and half of TTL has passed [GH-13950]