Fedora Account System
Red Hat Associate
Red Hat Customer
HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uniformly enforce ACLs across all API endpoints, resulting in potential unintended information disclosure. Fixed in 1.6.3. Upstream issue: https://github.com/hashicorp/consul/issues/7160
Created consul tracking bugs for this issue: Affects: epel-6 [bug 1805876] Affects: fedora-30 [bug 1805877]
Whilst OpenShift ServiceMesh does package consul, it is not a vulnerable version (packages v1.1.0 and v1.3.0). The vulnerable HTTP API endpoint (v1/agent/health/service/*) was only added in releases of consul starting from v1.4.1. Ref commit which includes the API endpoint: https://github.com/hashicorp/consul/commit/4f62a3b5285cef13f25d162f267b678e3b5c0d8e
External References: https://github.com/hashicorp/consul/issues/7160
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7955