Get ahead
VMware offers training and certification to turbo-charge your progress.
Learn moreIn Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
Specifically, an application is vulnerable when all of the following are true:
LifecycleAwareSessionManager
in an imperative-only arrangement.LifecycleAwareSessionManager.destroy()
is called by the application or the application shutdown hookLifecycleAwareSessionManager
or org.springframework.vault.authentication
is set at least to WARN
or a more detailed logging level.An application is not vulnerable if any of the following is true:
ReactiveSessionManager
in a mixed reactive/imperative or reactive-only arrangement.LifecycleAwareSessionManager.destroy()
is never called by the application or the application shutdown hookLifecycleAwareSessionManager
or org.springframework.vault.authentication
is set to ERROR
or higher, such as OFF
.Users of affected versions should apply the following mitigation.
3.0.x
users should upgrade to 3.0.2
. When consuming Spring Vault transitively, pin the dependency version of spring-vault-core
to 3.0.2
.2.3.x
users should upgrade to 2.3.3
. When consuming Spring Vault transitively, pin the dependency version of spring-vault-core
to 2.3.3
ERROR
for the org.springframework.vault.authentication.LifecycleAwareSessionManager
logger.No other steps are necessary.
Releases that have fixed this issue include:
This issue was identified and responsibly reported by Martin Kiesel.
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy