HCSEC-2022-10 - Consul’s HTTP Health Check May Allow Server Side Request Forgery

Bulletin ID: HCSEC-2022-10
Affected Products / Versions: Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4; fixed in 1.9.17, 1.10.10, and 1.11.5.
Publication Date: April 15, 2022

Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.

Background
Consul provides health checking functionality with several different kinds of checks, one of which can target HTTP endpoints to monitor that status of the service. These checks may be defined in the Consul configuration file, or added at runtime over the HTTP interface. For more information, see the health checks tutorial.

Details
An external party reported that HTTP endpoints accessed with a health check could return an HTTP redirect, which may be abused as a vector for server side request forgery (SSRF) from the perspective of the Consul client agent following that redirect.

Depending on the context of the usage of this feature, but specifically in a multi-tenant environment where checks may be defined by parties across trust boundaries, this may result in the bypass of application isolation with the Consul client agent health check serving as a proxy to send a request to arbitrary HTTP endpoints.

Consul’s HTTP + Interval health check configuration now provides a disable_redirects option to prohibit this behavior to better service those multi-tenant use cases. This currently defaults to false, but the intent is to default this to true in a future release so that redirects must explicitly be enabled.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.9.17, 1.10.10, and 1.11.5, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

After upgrading, the disable_redirects option for relevant HTTP checks should be set to true.

Acknowledgement
This issue was identified by the Offensive Security Research Unit at Ronin who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.