HCSEC-2022-05 - Consul Ingress Gateway Panic Can Shutdown Servers

Bulletin ID: HCSEC-2022-05
Affected Products / Versions: Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, and 1.11.2; fixed in 1.9.15, 1.10.8, and 1.11.3.
Publication Date: February 15, 2022

Summary
Consul and Consul Enterprise (“Consul”) clusters with at least one Ingress Gateway allow a user with service:write permissions to register a specifically-defined service that will cause the Consul server to panic. This vulnerability, CVE-2022-24687, was fixed in Consul 1.9.15, 1.10.8, and 1.11.3.

Background
Consul may be configured to provide Ingress Gateways, enabling connectivity within your organizational network from services outside the Consul service mesh to services in the mesh. An ingress gateway is a type of proxy and must be registered as a service in Consul, with the kind set to ingress-gateway.

Details
It was reported that clusters with at least one ingress gateway configured may allow a user with service:write permission to register a specifically-defined service that can cause the Consul server to panic and shutdown.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.9.15, 1.10.8, and 1.11.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.