HCSEC-2021-08 - Consul Enterprise Audit Log Bypass for HTTP Events

Bulletin ID: HCSEC-2021-08
Affected Products / Versions: Consul Enterprise 1.8.0 through 1.9.4; fixed in 1.9.5, and 1.8.10.
Publication Date: 19 April, 2021

Summary
A vulnerability was identified in Consul Enterprise such that a specially crafted HTTP request can be used to bypass the audit log for HTTP events. This vulnerability, CVE-2021-28156, affects Consul Enterprise versions 1.8.0 up to 1.9.4, and is fixed in the 1.9.5 and 1.8.10 releases.

Background
Consul Enterprise has an audit log feature, intended to capture a clear and actionable log of authenticated events (both attempted and committed).

Details
It was discovered that an attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterpriseā€™s audit log.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul Enterprise 1.9.5, 1.8.10, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the HashiCorp product security team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.