Bug 1805875 (CVE-2020-7955)

Summary: CVE-2020-7955 consul: Missing access control in HTTP API endpoints
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, drieden, fpokorny, ggaughan, go-sig, janstey, jchaloup, jochrist, jwon, kconner, mcooper, rcernich, sspreitz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: consul 1.6.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-07 04:31:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1805876, 1805877    
Bug Blocks: 1805878    

Description Pedro Sampaio 2020-02-21 16:53:16 UTC 
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3.

Upstream issue:

https://github.com/hashicorp/consul/issues/7160
Comment 1 Pedro Sampaio 2020-02-21 16:54:31 UTC 
Created consul tracking bugs for this issue:

Affects: epel-6 [bug 1805876]
Affects: fedora-30 [bug 1805877]
Comment 2 Mark Cooper 2020-02-25 02:32:09 UTC 
Whilst OpenShift ServiceMesh does package consul, it is not a vulnerable version (packages v1.1.0 and v1.3.0).

The vulnerable HTTP API endpoint (v1/agent/health/service/*) was only added in releases of consul starting from v1.4.1.

Ref commit which includes the API endpoint: https://github.com/hashicorp/consul/commit/4f62a3b5285cef13f25d162f267b678e3b5c0d8e
Comment 3 Mark Cooper 2020-03-16 01:46:50 UTC 
External References:

https://github.com/hashicorp/consul/issues/7160
Comment 4 Product Security DevOps Team 2020-04-07 04:31:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7955