MattSurabian
commented
3 years ago Not through the bosh release really. You could update your vault config to do things like disable the UI entirely but as you've pointed out API endpoints are still available.
I think the more common practice in all the places I've worked would be to not expose your Vault server to a "public network" (however you choose to define that given your threat model) at all. There may be issues in the Vault project itself that talk about information leakage in more detail but it's definitely not within the scope or ability of the Bosh release wrapping.
I can tell you in the places I've used Vault we opt to only make it accessible from a small group of subnets within a given VPC.
Hi,
Is there a way to hide the vault's versioning information from all the possible "public" vault's places, like the versioning information in the UI (at the bottom there is a banner like © 2021 HashiCorp Vault 1.4.0 Upgrade to Vault Enterprise Documentation) or from the API endpoints /v1/sys/health and /v1/sys/seal-status which also return a "version" key.
Impact The disclosure of version or system information allows an attacker to conduct a selective search in vulnerability databases. The obtained information can then be used as a basis for attacks. Recommendation It is recommended not to disclose any information about the system or available services. Such information should be removed from banners.
Thanks a lot,