HCSEC-2021-23 - Consul Exposed to Denial of Service in GoGo Protobuf Dependency

Bulletin ID: HCSEC-2021-23
Affected Products / Versions: Consul and Consul Enterprise 1.3.0 through 1.10.1; fixed in 1.8.15, 1.9.9 and 1.10.2.
Publication Date: September 1, 2021

Consul and Consul Enterprise (“Consul”) were vulnerable to denial of service due to a flaw in the gogo/protobuf module used for Consul’s protocol buffer support. This vulnerability, CVE-2021-3121, was addressed in Consul and Consul Enterprise 1.8.15, 1.9.9 and 1.10.2.

Consul has a dependency on the gogo/protobuf library, which is used to generate protocol buffer code.

The gogo/protobuf library fixed a vulnerability, CVE-2021-3121, whereby an attacker may target gogo/protobuf dependents, including Consul, with a specially crafted protobuf message resulting in denial of service.

Recent Consul releases moved to a newer version of this dependency in which the vulnerability was remediated.

Customers should review the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.8.15, 1.9.9 and 1.10.2, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.