Consul 1.6.3 Released (security)

i0rek · January 30, 2020, 7:18pm

Hello everyone,

We just released Consul 1.6.3 which has two security related fixes.

In addition, 1.6.3 includes fixes for intermediate certificate handling in a secondary datacenter in a multi-dc Connect setup.

CVE-2020-7219

A vulnerability was identified in Consul such that unbounded resource usage, triggered by the establishment of many unauthenticated HTTP or RPC connections, may generate excessive load and/or crash the server.

This vulnerability affects all previous releases of Consul, and is fixed in the 1.6.3 release. For full details about the problem and how to remediate see issue 7159 on GitHub.

CVE-2020-7955

A low risk vulnerability was identified in Consul HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl

This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3. For full details about the problem and how to remediate see issue 7160 on GitHub.

Please see the complete changelog for details on the releases:

github.com

hashicorp/consul/blob/v1.6.3/CHANGELOG.md

## 1.6.3 (January 30, 2020)

SECURITY

* agent: mitigate potential DoS vector allowing unbounded server resource usage from unauthenticated connections [[GH-7159](https://github.com/hashicorp/consul/issues/7159)]
* acl: add ACL enforcement to the `v1/agent/health/service/*` endpoints [[GH-7160](https://github.com/hashicorp/consul/issues/7160)]

IMPROVEMENTS

* tls: `auto_encrypt` and `verify_incoming` [[GH-6811](https://github.com/hashicorp/consul/pull/6811)]

BUG FIXES

* agent: output proper HTTP status codes for Txn requests that are too large [[GH-7158](https://github.com/hashicorp/consul/pull/7158)]
* connect: derive connect certificate serial numbers from a memdb index instead of the provider table max index [[GH-7011](https://github.com/hashicorp/consul/pull/7011)]
* connect: ensure that updates to the secondary root CA configuration use the correct signing key ID values for comparison [[GH-7012](https://github.com/hashicorp/consul/pull/7012)]

## 1.6.2 (November 13, 2019)

SECURITY

This file has been truncated. show original

The release binaries can be downloaded here:

https://releases.hashicorp.com/consul/1.6.3/

– The Consul Team

eeeschwartz · January 30, 2020, 8:26pm

Thanks for the update. What’s the typical turnaround to push out a new image to Dockerhub?

i0rek · January 31, 2020, 10:18am

They are available now. I think it took a couple of hours, not 100% sure though.

shantanugadgil · January 31, 2020, 2:01pm

@i0rek I think the downloads page still needs updating ?!

blake · January 31, 2020, 10:03pm

@shantanugadgil Thanks for bringing this to our attention. The downloads page has been updated to point to the 1.6.3 release binaries.

Topic		Replies	Views
Consul 1.7.0-beta4 Released! Consul	1	315	January 31, 2020
Consul 1.6.6 and 1.7.4 Released (security) Consul	1	510	June 10, 2020
[consul] ANN: Consul 1.6.5 Released Consul	1	338	April 14, 2020
ANN: Consul 1.8.6, 1.7.10 and 1.6.10 Released Consul	0	409	November 20, 2020
HCSEC-2020-02 - Consul’s HTTP/RPC Services Allow Unbounded Resource Usage, Susceptible to Unauthenticated Denial of Service Security security-consul	0	4215	November 25, 2020

Consul 1.6.3 Released (security)

Related topics