HCSEC-2021-08 - Consul Enterprise Audit Log Bypass for HTTP Events

Bulletin ID: HCSEC-2021-08
Affected Products / Versions: Consul Enterprise 1.8.0 through 1.9.4; fixed in 1.9.5, and 1.8.10.
Publication Date: 19 April, 2021

A vulnerability was identified in Consul Enterprise such that a specially crafted HTTP request can be used to bypass the audit log for HTTP events. This vulnerability, CVE-2021-28156, affects Consul Enterprise versions 1.8.0 up to 1.9.4, and is fixed in the 1.9.5 and 1.8.10 releases.

Consul Enterprise has an audit log feature, intended to capture a clear and actionable log of authenticated events (both attempted and committed).

It was discovered that an attacker could maliciously craft valid HTTP requests with specific parameters which cause the HTTP event to be incorrectly excluded from Consul Enterpriseā€™s audit log.

Customers should evaluate the risk associated with this issue and consider upgrading to Consul Enterprise 1.9.5, 1.8.10, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

This issue was identified by the HashiCorp product security team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.