We just released Consul 1.8.6, 1.7.10 and 1.6.10 which address CVE-2020-28053 (not yet published):
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with
operator:read ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the
/v1/connect/ca/configuration endpoint, including the private key. This allows this authenticated user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
All versions are available now for OSS and ENT customers in the usual locations.
Please see the complete changelog for details on the releases:
The release binaries can be downloaded here:
P.S. Consul 1.9.0-rc1 was released this week, additional testing is appreciated before GA next week!