Bulletin ID: HCSEC-2023-15
Affected Products / Versions: Consul and Consul Enterprise 1.13.0 through 1.14.0, and 1.15.0; fixed in 1.14.7 and 1.15.3.
Cluster peering was a beta feature in Consul 1.13.x. As such, this issue was only addressed in the 1.14.x and 1.15.x branches.
Publication Date: June 2, 2023
Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability, CVE-2023-1297, was resolved in Consul 1.14.7, and 1.15.3.
Background
Consul cluster peering is a beta feature to support peering connections between two or more independent clusters so that services deployed to different partitions or datacenters can communicate.
Details
During internal testing of cluster peering we observed that, if a local and imported service share the same name, deleting the service on the cluster peer causes Consul’s state to be corrupted, resulting in denial of service.
Remediation
Consul administrators should assess risk / exposure as described, and consider upgrading their Consul cluster to version 1.14.7, 1.15.3, or newer.
Acknowledgement
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.