Bulletin ID: HCSEC-2024-16
Affected Products / Versions: Consul and Consul Enterprise development workflows from 1.12.0 up to 1.17.6, 1.18.2, and 1.19.0; fixed in 1.17.7, 1.18.3, and 1.19.1.
As detailed below, Consul and Consul Enterprise product releases were not affected by this issue.
Publication Date: July 25, 2024
Summary
HashiCorp Consul and Consul Enterprise development workflows for releases from 1.12.0 up to 1.17.6, 1.18.2, and 1.19.0 were vulnerable to frontend dependency confusion which exclusively impacted development environments. This vulnerability was fixed in Consul development workflows for 1.17.7, 1.18.3 and 1.19.1.
Background
Consul includes a Javascript-based frontend (known as Consul UI or consul-ui) that uses devDependencies to install packages required by the development workflow which are not included in the production environment or binaries. These typically include compilers, bundlers, testing frameworks and linters.
Details
Consul had an ambiguous development dependency resolution in consul-ui for local packages introduced in March 2022 prior to release of Consul 1.12. Some but not all package names were reserved on the npm registry, and in June 2024 a security researcher demonstrated the ability to publish a package to the npm registry that ran arbitrary code in affected Consul development environments. The researcher reported the issue to HashiCorp, and the npm security team removed the researcher-submitted packages in question from the registry.
The Consul UI development workflow has been updated to explicitly use the file protocol to fetch packages from local paths.
Remediation
Customers using Consul and Consul Enterprise releases provided by HashiCorp do not need to take any action, as this only affected development workflows.
Users building the Consul UI from source should evaluate the risk associated with this issue and consider upgrading to Consul 1.17.7, 1.18.3, 1.19.1 or newer.
Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by Roni Carta, Co-Founder of Lupin & Holmes.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.