HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. Upstream issue: https://github.com/hashicorp/consul/issues/7159
Created consul tracking bugs for this issue: Affects: epel-6 [bug 1805868] Affects: fedora-30 [bug 1805867]
External References: https://github.com/hashicorp/consul/issues/7159
Mitigation: Enforce network connection limits on Consul server agents by using the following iptables rule: iptables -A INPUT -p tcp --syn --dport 8300 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset.
Working with Kevin, whilst the go.mod file is including consul, it turns out that inside the vendor folder under modules.txt it's only including the API section of code: # github.com/hashicorp/consul v1.3.0 github.com/hashicorp/consul/api Makes perfect sense that it's only using client api part of consul for compatibility and my bad. Jira tickets are marked rejected/not a bug. ServiceMesh components are not affected, include consul/api only.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7219