Bulletin ID: HCSEC-2020-04
Affected Products / Versions: Consul and Consul Enterprise 1.4.1 through 1.6.2; fixed in 1.6.3.
Publication Date: 30 January, 2020
Summary
Consul and Consul Enterprise (“Consul”) did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. This vulnerability affected Consul versions 1.4.1 through 1.6.2 and was assigned CVE-2020-7955.
Background
Consul uses Access Control Lists (ACLs) documentation to secure the UI, API, CLI, service communications, and agent communications.
Details
It was observed that Consul did not apply ACLs for the following endpoints that could lead to data leakage with script checks turned on:
/v1/agent/health/service/id/:service-id/v1/agent/health/service/name/:service-name
Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.