Bulletin ID: HCSEC-2023-06
Bulletin Title: Consul Server Panic when Ingress and API Gateways Configured with Peering Connections
Publication Date: March 7, 2023
Affected Products / Versions: Consul and Consul Enterprise 1.14.0 up to 1.14.4; fixed in 1.14.5.
Summary:
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. This vulnerability, CVE-2023-0845, was fixed in Consul 1.14.5.
Background:
Consul cluster peering is a feature to support peering connections between two or more independent clusters so that services deployed to different partitions or datacenters can communicate. API gateways are a dedicated ingress solution for intelligently routing traffic to applications running in the service mesh, and are configured through the Kubernetes Gateway API Specification. Ingress gateways enable connectivity from services outside the Consul service mesh to services inside the mesh, and are configured using configuration entries. These configurations are transpiled and then sent to Envoy using xDS through the Consul server or client agent.
Details:
During internal testing, we observed it was possible to crash the Consul server or client agent hosting the xDS connection to an API gateway or ingress gateway by configuring upstreams to reference a peering destination.
To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service. For more information on cluster peering, see the documentation.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.14.5, or newer.
Acknowledgement:
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.