Bulletin ID: HCSEC-2021-29
Affected Products / Versions: Consul Enterprise 1.7.0 and newer; fixed in 1.8.17, 1.9.11, and 1.10.4.
Publication Date: November 12, 2021
A vulnerability was identified in Consul Enterprise such that an ACL token with the default
operator:write permissions in one namespace may be used to escalate privileges into any other permissions across all namespaces. This vulnerability, CVE-2021-41805, was fixed in Consul Enterprise 1.8.17, 1.9.11, and 1.10.4.
Consul Enterprise uses namespaces and the ACL system for restricting access to resources such as services and nodes. The operator ACL rule (such as
operator:read) is used for cluster-level operations found in the operator API, with the one exception being the keyring API.
During internal testing, it was observed that an ACL token configured with default
operator:write permissions may be used to escalate privileges into any other permissions across all namespaces.
Consul Enterprise’s authorization logic has been modified to prohibit this.
Customers should evaluate the risk associated with this issue and consider upgrading to Consul Enterprise 1.10.4, 1.9.11, 1.8.17, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.