Bug 1950492 (CVE-2021-28156) - CVE-2021-28156 consul: Audit log requests bypass
Summary: CVE-2021-28156 consul: Audit log requests bypass
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-28156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1950493
TreeView+ depends on / blocked
 
Reported: 2021-04-16 18:05 UTC by Pedro Sampaio
Modified: 2023-08-31 23:55 UTC (History)
47 users (show)

Fixed In Version: consul 1.10.0-beta1
Clone Of:
Environment:
Last Closed: 2021-05-06 20:34:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-04-16 18:05:04 UTC 
A flaw was found in hashicorp consul before 1.10.0-beta1 where the audit log could be bypassed.

References:

https://github.com/hashicorp/consul/releases/tag/v1.10.0-beta1
https://github.com/hashicorp/consul/pull/10030
Comment 1 Mark Cooper 2021-04-19 01:11:47 UTC 
The commit is labelled, `Add synthetic enterprise entry for CVE-2021-28156`, as this only affects the enterprise version of consul which includes audit-logging [1].


[1] - https://www.consul.io/docs/enterprise/audit-logging
Comment 3 Stoyan Nikolov 2021-05-03 11:25:41 UTC 
Statement:

This vulnerability only affects the enterprise version of consul, which includes audit-logging [1]. Hence OpenShift Container Platform (OCP), OpenShift ServiceMesh (OSSM) and OpenShift Virtualization are not affected.

[1] - https://www.consul.io/docs/enterprise/audit-logging
Comment 5 Product Security DevOps Team 2021-05-06 20:34:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-28156
Note You need to log in before you can comment on or make changes to this bug.