Bug 1805866 (CVE-2020-7219)
Summary: | CVE-2020-7219 consul: HTTP/RPC Services Allow Unbounded Resource Usage | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, chazlett, drieden, fpokorny, ggaughan, go-sig, janstey, jchaloup, jochrist, jwon, kconner, mcooper, rcernich, sspreitz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | consul 1.6.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
An unbound resource consumption vulnerability was found in the API of consul. A remote attacker with a connection to the consul agent servers could abuse this flaw to cause a denial of service (DoS) by repeatedly sending TLS connect attempts over HTTP or RPC, possibly causing an application crash.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-07 04:31:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1805867, 1805868 | ||
Bug Blocks: | 1805878 |
Description
Pedro Sampaio
2020-02-21 16:47:45 UTC
Created consul tracking bugs for this issue: Affects: epel-6 [bug 1805868] Affects: fedora-30 [bug 1805867] External References: https://github.com/hashicorp/consul/issues/7159 Mitigation: Enforce network connection limits on Consul server agents by using the following iptables rule: iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset. Working with Kevin, whilst the go.mod file is including consul, it turns out that inside the vendor folder under modules.txt it's only including the API section of code: # github.com/hashicorp/consul v1.3.0 github.com/hashicorp/consul/api Makes perfect sense that it's only using client api part of consul for compatibility and my bad. Jira tickets are marked rejected/not a bug. ServiceMesh components are not affected, include consul/api only. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7219 |