CVE-2023-6337: 
HashiCorp Vault vulnerability analysis and mitigation

HashiCorp Vault and Vault Enterprise since version 1.12.0 are affected by a vulnerability (CVE-2023-6337) that allows denial of service through memory exhaustion when handling large HTTP requests. The vulnerability was discovered and disclosed on December 8, 2023, and has been fixed in versions 1.15.4, 1.14.8, and 1.13.12 (HashiCorp Discussion).

The vulnerability was introduced in version 1.12.0 where inbound HTTP requests are processed to determine rate limit quota for certain auth methods. During this processing, which occurs before limits and quotas are applied, the request is copied to memory without bound checks or limits. When processing large requests, this operation can consume all available memory on the host until out-of-memory processes are triggered by the operating system. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NetApp Security).

Successful exploitation of this vulnerability can lead to denial of service through memory exhaustion of the host, potentially causing Vault to crash and not recover automatically. The issue can also be triggered by legitimate Vault usage involving large requests, such as restoring large snapshots (HashiCorp Discussion).

Organizations should evaluate their risk exposure and upgrade to Vault versions 1.15.4, 1.14.8, 1.13.12, or newer. The upgrade process should follow the general guidance and version-specific upgrade notes provided in the Vault documentation (HashiCorp Discussion).