HCSEC-2020-04 - Consul's Health Check API Endpoints May Disclose Information

Bulletin ID: HCSEC-2020-04
Affected Products / Versions: Consul and Consul Enterprise 1.4.1 through 1.6.2; fixed in 1.6.3.
Publication Date: 30 January, 2020

Consul and Consul Enterprise (“Consul”) did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. This vulnerability affected Consul versions 1.4.1 through 1.6.2 and was assigned CVE-2020-7955.

Consul uses Access Control Lists (ACLs) documentation to secure the UI, API, CLI, service communications, and agent communications.

It was observed that Consul did not apply ACLs for the following endpoints that could lead to data leakage with script checks turned on:

  • /v1/agent/health/service/id/:service-id
  • /v1/agent/health/service/name/:service-name

Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.