VDB

HCSEC-2021-23

HCSEC-2021-23 PUBLISHED

**Bulletin ID:** HCSEC-2021-23 **Affected Products / Versions:** Consul and Consul Enterprise 1.3.0 through 1.10.1; fixed in 1.8.15, 1.9.9 and 1.10.2. **Publication Date:** September 1, 2021 **Summary** Consul and Consul Enterprise (“Consul”) were vulnerable to denial of service due to a flaw in the gogo/protobuf module used for Consul’s protocol buffer support. This vulnerability, CVE-2021-3121, was addressed in Consul and Consul Enterprise 1.8.15, 1.9.9 and 1.10.2. **Background** Consul has a dependency on the [gogo/protobuf](https://github.com/gogo/protobuf) library, which is used to generate protocol buffer code. **Details** The gogo/protobuf library fixed a vulnerability, [CVE-2021-3121](https://nvd.nist.gov/vuln/detail/CVE-2021-3121), whereby an attacker may target gogo/protobuf dependents, including Consul, with a specially crafted protobuf message resulting in denial of service. Recent Consul releases moved to a newer version of this dependency in which the vulnerability was remediated. **Remediation** Customers should review the risk associated with this issue and consider upgrading to Consul or Consul Enterprise 1.8.15, 1.9.9 and 1.10.2, or newer. Please refer to [Upgrading Consul](https://www.consul.io/docs/upgrading) for general guidance and version-specific upgrade notes. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*

Timeline

  • Sep 1, 2021 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›