chore(deps): update module github.com/hashicorp/consul to v1.14.5 [security] (release-2.8.x) - abandoned #13777
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.5.1
->v1.14.5
Denial of Service (DoS) in HashiCorp Consul
BIT-consul-2020-7219 / CVE-2020-7219 / GHSA-23jv-v6qj-3fhh
More information
Details
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
Specific Go Packages Affected
github.com/hashicorp/consul/agent/consul
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Incorrect Authorization in HashiCorp Consul
BIT-consul-2020-7955 / CVE-2020-7955 / GHSA-r9w6-rhh9-7v53
More information
Details
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Allocation of Resources Without Limits or Throttling in Hashicorp Consul
BIT-consul-2020-13250 / CVE-2020-13250 / GHSA-rqjq-mrgx-85hp
More information
Details
HashiCorp Consul and Consul Enterprise include an HTTP API (introduced in 1.2.0) and DNS (introduced in 1.4.3) caching feature that was vulnerable to denial of service.
Specific Go Packages Affected
github.com/hashicorp/consul/agent/config
Fix
The vulnerability is fixed in versions 1.6.6 and 1.7.4.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Privilege Escalation in HashiCorp Consul
BIT-consul-2020-28053 / CVE-2020-28053 / GHSA-6m72-467w-94rh / GO-2024-2505
More information
Details
HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul
BIT-consul-2020-28053 / CVE-2020-28053 / GHSA-6m72-467w-94rh / GO-2024-2505
More information
Details
Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
HashiCorp Consul Cross-site Scripting vulnerability
BIT-consul-2020-25864 / CVE-2020-25864 / GHSA-8xmx-h8rq-h94j
More information
Details
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul Privilege Escalation Vulnerability
BIT-consul-2021-37219 / CVE-2021-37219 / GHSA-ccw8-7688-vqx4
More information
Details
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
BIT-consul-2021-38698 / CVE-2021-38698 / GHSA-6hw5-6gcx-phmw
More information
Details
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector
BIT-consul-2022-29153 / CVE-2022-29153 / GHSA-q6h7-4qgw-2j9p
More information
Details
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery (SSRF). This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul L7 deny intention results in an allow action
BIT-consul-2021-36213 / CVE-2021-36213 / GHSA-8h2g-r292-j8xh
More information
Details
In HashiCorp Consul before 1.10.1 (and Consul Enterprise), xds can generate a situation where a single L7 deny intention (with a default deny policy) results in an allow action.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Consul Missing SSL Certificate Validation
BIT-consul-2021-32574 / CVE-2021-32574 / GHSA-25gf-8qrr-g78r
More information
Details
HashiCorp Consul before 1.10.1 (and Consul Enterprise) has Missing SSL Certificate Validation. xds does not ensure that the Subject Alternative Name of an upstream is validated.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
HashiCorp Consul vulnerable to authorization bypass
BIT-consul-2022-40716 / CVE-2022-40716 / GHSA-m69r-9g56-7mv8
More information
Details
HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hashicorp Consul vulnerable to denial of service
BIT-consul-2023-1297 / CVE-2023-1297 / GHSA-c57c-7hrj-6q6v
More information
Details
Consul and Consul Enterprise's cluster peering implementation contained a flaw whereby a peer cluster with service of the same name as a local service could corrupt Consul state, resulting in denial of service. This vulnerability was resolved in Consul 1.14.5, and 1.15.3
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
hashicorp/consul (github.com/hashicorp/consul)
v1.14.5
Compare Source
1.14.5 (March 7, 2023)
SECURITY:
This resolves vulnerabilities CVE-2022-41724 in
crypto/tls
and CVE-2022-41723 innet/http
. [GH-16263]IMPROVEMENTS:
BUG FIXES:
v1.14.4
Compare Source
1.14.4 (January 26, 2023)
BREAKING CHANGES:
name
field. Existing peerings with uppercase characters will not be modified, but they may encounter issues in various circumstances. To maintain forward compatibility and avoid issues, it is recommended to destroy and re-create any invalid peering connections so that they do not have a name containing uppercase characters. [GH-15697]FEATURES:
envoy-ready-bind-port
andenvoy-ready-bind-address
to theconsul connect envoy
command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]IMPROVEMENTS:
WatchServers
,WatchRoots
andGetSupportedDataplaneFeatures
gRPC endpoints to accept any valid ACL token [GH-15346]if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]
BUG FIXES:
consul connect envoy
was unable to configure TLS over unix-sockets to gRPC. [GH-15913]v1.14.3
Compare Source
1.14.3 (December 13, 2022)
SECURITY:
golang.org/x/net
to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15737]FEATURES:
IMPROVEMENTS:
BUG FIXES:
v1.14.2
Compare Source
1.14.2 (November 30, 2022)
FEATURES:
connect: Add IdleTimeout to service-router to allow configuring the Envoy route idle timeout [GH-14340]
IMPROVEMENTS:
.service
and.node
DNS queries. [GH-15596]BUG FIXES:
consul partition update
subcommand was not registered and therefore not available through the cli.v1.14.1
Compare Source
1.14.1 (November 21, 2022)
BUG FIXES:
consul connect envoy
incorrectly uses the HTTPS API configuration for xDS connections. [GH-15466]v1.14.0
Compare Source
1.14.0 (November 15, 2022)
BREAKING CHANGES:
ports.grpc_tls
configuration option.Introduce a new port to better separate TLS config from the existing
ports.grpc
config.The new
ports.grpc_tls
only supports TLS encrypted communication.The existing
ports.grpc
now only supports plain-text communication. [GH-15339]peering
andconnect
by default. [GH-15302]PeerName
toPeer
on prepared queries and exported services. [GH-14854]changes the names of some Envoy dynamic HTTP metrics. [GH-14178]
SECURITY:
FEATURES:
-consul-dns-port
flag to theconsul connect redirect-traffic
command to allow forwarding DNS traffic to a specific Consul DNS port. [GH-15050]server_type=internal|external
label to gRPC metrics. [GH-14922]get-or-empty
operation to the txn api. Refer to the API docs for more information. [GH-14474]iptables
to forward DNS traffic to a specific DNS port. [GH-15050]IMPROVEMENTS:
xds.update_max_per_second
config field) [GH-14960]Failover
s andRedirect
s onlyspecify
Partition
andNamespace
on Consul Enterprise. This prevents scenarioswhere OSS Consul would save service-resolvers that require Consul Enterprise. [GH-14162]
RetryOn
field for specifying the conditions when Envoy should retry requests beyond specific status codes and generic connection failure which already exists. [GH-12890]<servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul
and<servicename>.virtual.<partition>.ap.<peername>.peer.consul
. This longer form address that allows specifying.peer
would need to be used for tproxy DNS requests made within non-default partitions for imported services.[<tag>.]<service>.service[.<namespace>.ns][.<partition>.ap][.<datacenter>.dc]<domain>
. [GH-14679]consul.xds.server.streamStart
metric to measure time taken to first generate xDS resources for an xDS stream. [GH-14957]max_ejection_percent
on Envoy's outlier detection to 100% for peered services. [GH-14373]BUG FIXES:
NOTES:
v1.13.9
Compare Source
1.13.9 (June 26, 2023)
BREAKING CHANGES:
queries from having a negative impact on server performance. Peering in Consul 1.13 is an experimental feature and is not
recommended for use in production environments. If you still wish to use the experimental peering feature, ensure
peering.enabled = true
is set on all clients and servers. [GH-17731]
SECURITY:
FEATURES:
IMPROVEMENTS:
BUG FIXES:
Also fixes the Consul query metadata present in the HTTP headers of the namespace read and list endpoints.
api
module representation of a namespace.This fixes an error with the
consul namespace list
command when a namespace has a deferred deletion timestamp.v1.13.8
Compare Source
1.13.8 (May 16, 2023)
SECURITY:
This resolves vulnerabilities CVE-2022-41724 in
crypto/tls
and CVE-2022-41723 innet/http
. [GH-16263]This resolves vulnerabilities CVE-2023-24537(
go/scanner
),CVE-2023-24538(
html/template
),CVE-2023-24534(
net/textproto
) andCVE-2023-24536(
mime/multipart
).Also,
golang.org/x/net
has been updated to v0.7.0 to resolve CVEs CVE-2022-41721, CVE-2022-27664 and CVE-2022-41723 [GH-17240]IMPROVEMENTS:
BUG FIXES:
reflect: call of reflect.Value.Type on zero Value
. [GH-17048]/agent/monitor
and/agent/metrics
endpoints return aStreaming not supported
error when audit logs are enabled. This also fixes the delay receiving logs when runningconsul monitor
against an agent with audit logs enabled. [GH-16700]v1.13.7
Compare Source
1.13.7 (March 7, 2023)
SECURITY:
This resolves vulnerabilities CVE-2022-41724 in
crypto/tls
and CVE-2022-41723 innet/http
. [GH-16299]IMPROVEMENTS:
BUG FIXES:
v1.13.6
Compare Source
1.13.6 (January 26, 2023)
FEATURES:
envoy-ready-bind-port
andenvoy-ready-bind-address
to theconsul connect envoy
command that allows configuration of readiness probe on proxy for any service kind. [GH-16015]IMPROVEMENTS:
if the partition is unspecified, consul will default the partition in the request to agent's partition [GH-16024]
BUG FIXES:
v1.13.5
Compare Source
1.13.5 (December 13, 2022)
SECURITY:
golang.org/x/net
to prevent a denial of service by excessive memory usage caused by HTTP2 requests. CVE-2022-41717 [GH-15743]IMPROVEMENTS:
BUG FIXES:
consul partition update
subcommand was not registered and therefore not available through the cli.v1.13.4
Compare Source
1.13.4 (November 30, 2022)
IMPROVEMENTS:
BUG FIXES:
v1.13.3
Compare Source
1.13.3 (October 19, 2022)
FEATURES:
rpc_client_timeout
to tune timeouts for client RPC requests [GH-14965]max_connections
for upstream clusters [GH-14749]IMPROVEMENTS:
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.