Bulletin ID: HCSEC-2020-10
Affected Products / Versions: Consul and Consul Enterprise 1.6.0 - 1.6.5 and 1.7.0 - 1.7.3; fixed in 1.6.6 and 1.7.4.
Publication Date: 10 June, 2020
Summary
HashiCorp Consul and Consul Enterprise (“Consul”) could crash when configured with an abnormally-formed service-router entry. This vulnerability, CVE-2020-12758, was introduced in Consul 1.6.0 and fixed in 1.6.6 and 1.7.4.
Background
Consul allows the definition of service-router (documentation) entries within the Consul configuration.
Details
Introduced in Consul v1.6.0, a service-router config entry controls Connect traffic routing and manipulation at networking layer 7 (e.g. HTTP). When an entry is created without a destination, which requires an ACL token with service:write permissions, it is possible to crash Consul servers.
Remediation
Customers should upgrade to Consul or Consul Enterprise 1.6.6 or 1.7.4, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the HashiCorp engineering team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.