CVE-2022-41316: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise's TLS certificate auth method contained a vulnerability (CVE-2022-41316) where it did not initially load the optionally-configured Certificate Revocation List (CRL) issued by the role's CA into memory on startup. This vulnerability affected versions up to 1.11.3 and was discovered in October 2022. The issue was fixed in versions 1.12.0, 1.11.4, 1.10.7, and 1.9.10 (HashiCorp Discussion).

The vulnerability occurred because the CRL used by Vault's certificate authentication method was not being loaded on startup and required a request to the CRL endpoint to populate the data structure containing the CRL entries. In multi-cluster deployments, this behavior also occurred on invalidation due to a write from another cluster. The vulnerability has been assigned a CVSS score of 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NetApp Advisory).

When using TLS certificate authentication, Vault did not correctly perform CRL revocation checks if login occurred between Vault startup (or invalidation) and a manual retrieval of the CRL. This could potentially lead to the addition or modification of data, as revoked certificates might be accepted during this window (HashiCorp Discussion).

The recommended mitigation is to upgrade to Vault Enterprise versions 1.12.0, 1.11.4, 1.10.7, 1.9.10, or newer. HashiCorp also recommends keeping short TTLs as a general practice to mitigate the operational complexities of certificate and credential revocation (HashiCorp Discussion).