HCSEC-2022-19 - Consul Auto-Config JWT Authorization Missing Input Validation

Bulletin ID: HCSEC-2022-19
Affected Products / Versions: Consul and Consul Enterprise 1.8.1 through 1.11.8, 1.12.4, and 1.13.1; fixed in 1.11.9, 1.12.5, and 1.13.2.
Publication Date: September 21, 2022

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that a specially crafted auto-config request allows TLS certificate and ACL token to be generated for a node name not intended by the operator. This vulnerability, CVE-2021-41803, was fixed in Consul 1.11.9, 1.12.5, and 1.13.2.

Auto-Config is a feature in Consul that enables distribution of security material and other configuration settings to all Consul agents in a datacenter. Consul client agents configured with auto-config use JSON web tokens (JWTs) to securely retrieve gossip encryption keys, TLS certificates, ACL settings, and other configuration properties from Consul server agents. This is configured using the auto_config agent configuration option. For more information, see the tutorial.

During internal testing, we observed it was possible to to craft an auto-config request that allows the TLS certificate and ACL token to be generated for a node name not intended by the operator. This forces Consul to store unintended information, which can be repeatedly abused to cause an authenticated denial of service attack from a malicious operator.

Customers, particularly those using Consul’s auto-config, should evaluate the risk associated with this issue and consider upgrading to Consul 1.11.9, 1.12.5, 1.13.2, or newer.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.