Bulletin ID: HCSEC-2023-25
Affected Products / Versions: Consul and Consul Enterprise 1.16.0; fixed in 1.16.1.
Publication Date: August 8, 2023
Summary
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using JWT authentication for service mesh incorrectly allows/denies access regardless of service identities. This vulnerability, CVE-2023-3518, affects Consul 1.16.0 and was fixed in 1.16.1.
Background
Consul 1.16.0 introduced JWT authentication for service mesh which allows configuring JWT provider configuration entries to grant access to the endpoints within the mesh.
Details
Internal testing by the Consul engineering team identified that JWT authentication for service mesh incorrectly allows/denies access regardless of service identities (mTLS certificate).
This may allow two source intentions that would restrict access to an endpoint with differing JWT providers to cause only one JWT validation configuration to be used, allowing some service identities to be allowed with mismatching JWTs.
More requirements and recommendations for a secure Consul deployment can be found in the security model.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Consul 1.16.1 or newer.
See Consul’s Upgrading for general guidance on this process.
Acknowledgement
This issue was identified by the Consul engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.