Consul 1.6.3 Released (security)

Hello everyone,

We just released Consul 1.6.3 which has two security related fixes.

In addition, 1.6.3 includes fixes for intermediate certificate handling in a secondary datacenter in a multi-dc Connect setup.

CVE-2020-7219

A vulnerability was identified in Consul such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server.

This vulnerability affects all previous releases of Consul, and is fixed in the 1.6.3 release. For full details about the problem and how to remediate see issue 7159 on GitHub.

CVE-2020-7955

A low risk vulnerability was identified in Consul HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl

This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3. For full details about the problem and how to remediate see issue 7160 on GitHub.

Please see the complete changelog for details on the releases:

The release binaries can be downloaded here:

https://releases.hashicorp.com/consul/1.6.3/

– The Consul Team

1 Like

Thanks for the update. What’s the typical turnaround to push out a new image to Dockerhub?

They are available now. I think it took a couple of hours, not 100% sure though.

@i0rek I think the downloads page still needs updating ?!

@shantanugadgil Thanks for bringing this to our attention. The downloads page has been updated to point to the 1.6.3 release binaries.

1 Like