Bulletin ID: HCSEC-2022-05
Affected Products / Versions: Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2; fixed in 1.9.15, 1.10.8, and 1.11.3.
Publication Date: February 15, 2022
Consul and Consul Enterprise (“Consul”) clusters with at least one Ingress Gateway allow a user with
service:write permissions to register a specifically-defined service that will cause the Consul server to panic. This vulnerability, CVE-2022-24687, was fixed in Consul 1.9.15, 1.10.8, and 1.11.3.
Consul may be configured to provide Ingress Gateways, enabling connectivity within your organizational network from services outside the Consul service mesh to services in the mesh. An ingress gateway is a type of proxy and must be registered as a service in Consul, with the kind set to
It was reported that clusters with at least one ingress gateway configured may allow a user with
service:write permission to register a specifically-defined service that can cause the Consul server to panic and shutdown.
Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.9.15, 1.10.8, and 1.11.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.