HCSEC-2023-15 - Consul Cluster Peering can Result in Denial of Service

Bulletin ID: HCSEC-2023-15
Affected Products / Versions: Consul and Consul Enterprise 1.13.0 through 1.14.0, and 1.15.0; fixed in 1.14.7 and 1.15.3.

Cluster peering was a beta feature in Consul 1.13.x. As such, this issue was only addressed in the 1.14.x and 1.15.x branches.

Publication Date: June 2, 2023

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability, CVE-2023-1297, was resolved in Consul 1.14.7, and 1.15.3.

Consul cluster peering is a beta feature to support peering connections between two or more independent clusters so that services deployed to different partitions or datacenters can communicate.

During internal testing of cluster peering we observed that, if a local and imported service share the same name, deleting the service on the cluster peer causes Consul’s state to be corrupted, resulting in denial of service.

Consul administrators should assess risk / exposure as described, and consider upgrading their Consul cluster to version 1.14.7, 1.15.3, or newer.

This issue was identified by the Consul engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.