HCSEC-2022-07 - Consul’s Connect Service Mesh Affected By Recent Envoy Security Releases

Bulletin ID: HCSEC-2022-07
Affected Products / Versions: Consul and Consul Enterprise up to 1.9.15, 1.10.8, and 1.11.3.
Publication Date: February 28, 2022

Consul and Consul Enterprise (“Consul”) clusters using Consul Connect service mesh should be updated to adopt recent Envoy security releases.

Consul’s 1.9 releases support only Envoy 1.16 and older, which are no longer supported and did not receive recent security fixes.

Consul provides Consul Connect service mesh functionality via integration with the Envoy proxy. This integration uses the Envoy xDS protocol to manage service proxy configuration between a documented combination of supported Consul / Envoy versions.

Consul 1.9 supports the xDS v2 “State of the World” protocol, which is only available in Envoy version 1.16 and older. Consul 1.10 and newer implemented support for the xDS v3 “Incremental” protocol, and more recent versions of Envoy.

On February 22, 2022, the Envoy team announced a set of releases, 1.21.1, 1.20.2, 1.19.3 and 1.18.6, addressing a collection of eight security vulnerabilities.

Seven of these vulnerabilities (CVE-2021-43824, CVE-2021-43825, CVE-2021-43826, CVE-2022-21654, CVE-2022-21655, CVE-2022-23606, and CVE-2022-21657) were addressed in Envoy’s currently-supported branches, 1.18 and newer.

Regarding the eighth vulnerability, CVE-2022-21656, the Envoy advisory noted that backport into the 1.19 or 1.18 stable branches was not possible without increasing the risk of destabilization. The security model of Consul Connect depends to some extent upon the X.509 subjectAltName / nameConstraints functionality that is affected by this CVE. Exposure to this issue will be environment-dependent, as a Consul deployment that uses only certificates from a trusted internal PKI is likely less exposed than a deployment that uses certificates from external sources.

The complexity associated with maintaining the Consul 1.9 / Envoy 1.16 integration when no longer supported upstream is significant and backporting of fixes for these releases is no longer practical. Consul 1.9 will not support the Envoy releases that contain these security fixes.

Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.10.9, 1.11.4, or newer, along with upgrading Envoy to a recent compatible release (likely 1.20.2, 1.19.3, 1.18.6, or newer). Please refer to Upgrading Consul for general guidance and version-specific upgrade notes, and Envoy Integration Supported Versions for compatibility details.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.