Consul 1.6.6 and 1.7.4 Released (security)

Hello everyone,

We just released Consul 1.6.6 and 1.7.4 which are shipping fixes for multiple CVEs:

Consul 1.6.6 and 1.7.4 are available as of now for OSS and ENT customers in the usual locations. Both releases are mostly about the fixed CVEs:

CVE-2020-13250: Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.

CVE-2020-12797: Consul doesn’t enforce changes to legacy ACL tokens rules due to not being propagated to secondary data centers.

CVE-2020-13170: When token replication is not enabled in a secondary datacenter, attempts to use a local token created in the primary are successful for operations targeting that secondary datacenter. Thus what was meant to be scoped to a single datacenter is valid in other datacenters.

CVE-2020-12758: Requiring service:write permissions, a service-router entry without a destination can crash Consul servers.

Please see the complete changelog for details on the releases:


The release binaries can be downloaded here:

https://releases.hashicorp.com/consul/1.6.6/
https://releases.hashicorp.com/consul/1.7.4/

– The Consul Team

1 Like