HCSEC-2022-28 - Consul Cluster Peering Leaks Imported Nodes/Services Information

Bulletin ID: HCSEC-2022-28
Affected Products / Versions: Consul and Consul Enterprise 1.13.0 up to 1.13.3; fixed in 1.14.0.
Publication Date: November 15, 2022

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that the /v1/internal/ui/nodes and /v1/internal/ui/services HTTP endpoints do not properly filter information by ACL policies. This vulnerability, CVE-2022-3920, was fixed in Consul 1.14.0.

Consul cluster peering is a beta feature to support peering connections between two or more independent clusters so that services deployed to different partitions or datacenters can communicate.

During internal testing, we observed that node and service information imported through cluster peering was being leaked.

To exploit this vulnerability, an attacker does not require access to an ACL token. The peering feature was introduced in Consul 1.13.0 as a beta feature. For more information on cluster peering, see the documentation.

Customers, particularly those using the new cluster peering feature, should evaluate the risk associated with this issue and consider upgrading to Consul 1.14.0, or newer.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.