HCSEC-2020-19 - Consul Enterprise Namespace Config Entry Replication Denial of Service

Bulletin ID: HCSEC-2020-19
Affected Products / Versions: Consul Enterprise 1.7.0 through 1.8.4; fixed in 1.7.9, and 1.8.5.
Publication Date: 23 October, 2020

Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause infinite Raft writes. This vulnerability, CVE-2020-25201, was fixed in 1.7.9 and 1.8.5.

Consul Enterprise namespaces enable organizational multi-tenancy so that administrators can provide isolated access to data within the cluster shared with specific users or teams.

It was discovered that a Consul Enterprise operator with service:write ACL permissions in a cluster may write a malicious config entry that causes infinite Raft writes, due to issues with namespace replication logic. This can lead to an operator with access to one namespace to be able to temporarily delete a doppelgänger configuration in another namespace they should not have access to modify.

Customers should upgrade to Consul Enterprise 1.7.9, 1.8.5, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.