HCSEC-2023-02 - Vault, Consul, Boundary, and Waypoint Affected By Denial of Service in Go’s net/http (CVE-2022-41717)

Bulletin ID: HCSEC-2023-02
Affected Products / Versions:

  • Vault and Vault Enterprise up to 1.10.9, 1.11.6, 1.12.2; fixed in 1.10.10, 1.11.7, 1.12.3.
  • Consul and Consul Enterprise up to 1.12.7, 1.13.4, 1.14.2; fixed in 1.12.8, 1.13.5, 1.14.3.
  • Boundary up to 0.11.1; fixed in 0.11.2.
  • Waypoint up to 0.10.4; fixed in 0.10.5.

Publication Date: February 7, 2023

A denial of service vulnerability was reported in Golang’s net/http package. This vulnerability, CVE-2022-41717, was fixed in conjunction with another security issue in Go releases 1.18.9 and 1.19.4, and subsequently addressed with new releases of the affected HashiCorp products listed above.

Vault, Consul, Boundary and Waypoint use Go’s net/http server to serve their applications over the network, with Go automatically upgrading requests to HTTP/2 by default.

The Golang team reported that an attacker may cause excessive memory usage for Go net/http servers by crafting requests with unusually large request header sizes, potentially resulting in a denial of service.

Assuming network-level access to the service in question, the vulnerability described above may be exploited by an unauthenticated attacker to cause denial of service.

Customers should evaluate the risk associated with this issue and consider upgrading their HashiCorp products. Please refer to individual product documentation or release notes for product-specific guidance.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.