Bug 2252882 (CVE-2023-5332)

Summary: CVE-2023-5332 consul: Command injection through script checks option
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, bdettelb, dfreiber, dhanak, dsimansk, dymurray, eglynn, gparvin, jburrell, jcantril, jjoyce, jkoehler, jmatthew, jschluet, jwendell, kaycoth, kingland, kverlaen, lball, lhh, lsvaty, matzew, mburns, mgarciac, mnovotny, mrajanna, muagarwa, nbecker, njean, odf-bz-bot, owatkins, pahickey, pgrist, pierdipi, rcernich, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rogbas, sapillai, sdawley, teagle, tnielsen, twalsh, vkumar, whayutin, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: consul 1.2.4, consul 1.1.1, consul 1.0.8, consul 0.9.4 Doc Type: ---
Doc Text:
A command injection flaw was found in Hashicorp's Consul script check configuration option. If the API is enabled and exposed through a public interface, it is possible to achieve remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252886, 2256522, 2256524, 2252883, 2252887, 2252888, 2256521, 2256523, 2256525, 2256526, 2256527, 2256528, 2256529, 2256530, 2256531, 2256532, 2256533, 2256534, 2256535, 2256536    
Bug Blocks: 2252890    

Description Pedro Sampaio 2023-12-05 05:38:04 UTC 
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.

References:

https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171
https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations
Comment 1 Pedro Sampaio 2023-12-05 05:38:33 UTC 
Created golang-github-hashicorp-consul-api tracking bugs for this issue:

Affects: fedora-all [bug 2252883]
Comment 3 Pedro Sampaio 2023-12-05 05:53:31 UTC 
Created golang-github-hashicorp-consul tracking bugs for this issue:

Affects: fedora-all [bug 2252887]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2252886]