Bulletin ID: HCSEC-2021-34
Affected Products / Versions:
- Vault and Vault Enterprise up to 1.7.7, 1.8.6, 1.9.1; fixed in 1.7.8, 1.8.7 and 1.9.2.
- Consul and Consul Enterprise up to 1.8.18, 1.9.12, 1.10.5, 1.11.0; fixed in 1.8.19, 1.9.13, 1.10.6, and 1.11.1.
- Boundary up to 0.7.1; fixed in 0.7.2.
- Waypoint up to 0.6.2; fixed in 0.6.3.
Publication Date: December 22, 2021
Summary
A denial of service vulnerability was reported in Golang’s net/http package. This vulnerability, CVE-2021-44716, was fixed in conjunction with another security issue in Go releases 1.16.12 and 1.17.5, and subsequently addressed with new releases of the affected HashiCorp products listed above.
Background
Vault, Consul, Boundary and Waypoint use Go’s net/http server to serve their applications over the network, with Go automatically upgrading requests to HTTP/2 by default.
The Go team reported that an attacker may cause unbounded memory usage for Go net/http servers by crafting requests with unusually large request header sizes, potentially resulting in a denial of service.
Details
Assuming network-level access to the service in question, the vulnerability described above may be exploited by an unauthenticated attacker to cause denial of service.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading their HashiCorp products. Please refer to individual product documentation or release notes for product-specific guidance.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.