VMware offers training and certification to turbo-charge your progress.Learn more
In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
Specifically, an application is vulnerable when all of the following are true:
LifecycleAwareSessionManagerin an imperative-only arrangement.
LifecycleAwareSessionManager.destroy()is called by the application or the application shutdown hook
org.springframework.vault.authenticationis set at least to
WARNor a more detailed logging level.
An application is not vulnerable if any of the following is true:
ReactiveSessionManagerin a mixed reactive/imperative or reactive-only arrangement.
LifecycleAwareSessionManager.destroy()is never called by the application or the application shutdown hook
org.springframework.vault.authenticationis set to
ERRORor higher, such as
Users of affected versions should apply the following mitigation.
3.0.xusers should upgrade to
3.0.2. When consuming Spring Vault transitively, pin the dependency version of
2.3.xusers should upgrade to
2.3.3. When consuming Spring Vault transitively, pin the dependency version of
No other steps are necessary.
Releases that have fixed this issue include:
This issue was identified and responsibly reported by Martin Kiesel.
The VMware Security Response team provides a single point of contact for the reporting of security vulnerabilities in VMware Tanzu products and coordinates the process of investigating any reported vulnerabilities.
To report a security vulnerability in a VMware service or product please refer to the VMware Security Response Policy.