Skip to main content

OpenBao 2.3.0 release notes

v2.3.1

Release date: June 25, 2025

info

OpenBao v2.3.0 is unreleased due to a bug in Illumos builds. Illumos has been removed from v2.3.1 as a result, per policy.

SECURITY

  • core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
  • sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]

CHANGES

  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
  • packaging: Support for Illumos removed due to broken builds [GH-1503]

FEATURES

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
  • Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
  • auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

DEPRECATIONS

  • Configuration of PKCS#11 auto-unseal using the duplicate and undocumented module, token and key options is now deprecated. Use the documented alternative options lib, token_label and key_label instead, respectively. (More details) [GH-1385]

BUG FIXES

  • api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
  • core/identity: load namespace entities, groups into MemDB preventing them from disappearing on restart. [GH-1432]
  • oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
  • pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
  • sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
  • secrets/kv: Fix panic on detailed metadata list when results include a directory. [GH-1388]
  • storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
  • storage/postgresql: skip table creation automatically on PostgreSQL replicas [GH-1478]
  • vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
  • vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]

v2.3.0-beta20250528

Release date: May 28, 2025

SECURITY

  • sdk/framework: prevent information disclosure on invalid request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323]

CHANGES

  • openbao: update modules and checksums to address vulnerabilities [GH-1126]
  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also https://github.com/golang/go/issues/46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]

FEATURES

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

BUG FIXES

  • api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315]
  • cli: Return a quoted string URL when -output-curl-string flag is passed in [GH-1038]
  • oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178]
  • pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139]
  • sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (https://github.com/openbao/go-kms-wrapping/pull/32). This is unlikely to have caused many real-world issues so far. [GH-1349]
  • secrets/pki: Remove null value for subproblems encoding, fixing compatibility with certain ACME clients like certbot. [GH-1236]
  • storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299]
  • ui: Fix description of Organizational Unit (OU) field in PKI. [GH-1333]
  • vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129]
  • vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100]