I've run Vault for a long time, and none of this surprises me. I've even reported some of these to Hashicorp in the past, along with other equally shocking bugs.
The code base is an absolute mess.
The number of bugs and weird edge cases I've found with my quickcheck property testing of their API is shocking, and makes me think their test suites are woefully inadequate.
OpenBao, under the Linux Foundation's OpenSSF, is making meaningful improvements to the code. I'd love to have high-quality reports, if you're willing to re-visit these. :-)
I don't think the code is a mess (I've had to work with it before) and I don't think these vulnerabilities are shocking. This is an unusually thorough research project and if you look at any project you're going to find these kinds of logic vulnerabilities; the TOCTTOU parse differential thing is a classic insidious finding, because there's no pattern to match it to.
I'll +1 this. I've personally committed code to Vault and the OpenBao changes go hand-in-hand with the style of the Vault codebase. I enjoy both projects and appreciate that they both exist.
It's all Go anyway, it all looks pretty similar. I think if anything it looks/feels this way because it's a security-first project. By that I mean the way the code is written tends to care more about security over anything else.
Also the Hashicorp projects in general tend to use a lot of their own libraries/code so it's just a little different than other stuff. Code quality isn't too important so long as the code is maintainable (clearly it is, it's had a lot of versions) and works (again, clearly it does. a lot of folks use vault just fine, including me).
All previous CVEs are handled in a very straightforward manner with reasonable notifications as well, just like this one. This just has a big fancy article attached to it because it's Blackhat week and folks want to get a big fancy release. If you need further proof of the Blackhat effect go look up the 'death of http/1.1' article.
> The code base is an absolute mess.
This is an understatement, and honestly when I saw it the first time it was enough to make me wonder about all things Hashicorp.
Where were all these people when Vault was released in 2015? I remember being told we were switching to Vault in 2018 and nada. It was like the economists before the 2008 mortgage salad. Did Vault not hire security people? This reminds me of when HeartBleed occurred in 2014. It was after that when someone looked at the code and bugs everywhere. The guy that created Heartbleed got a Phd and the guy that discovered it got a t-shirt. "And then it was acquired by IBM".
> The code base is an absolute mess.
As a bystander, can you give any examples? Is it just poorly structured, full of spaghetti, or something else?