HCSEC-2021-34

**Bulletin ID:** HCSEC-2021-34 **Affected Products / Versions:** - Vault and Vault Enterprise up to 1.7.7, 1.8.6, 1.9.1; fixed in 1.7.8, 1.8.7 and 1.9.2. - Consul and Consul Enterprise up to 1.8.18, 1.9.12, 1.10.5, 1.11.0; fixed in 1.8.19, 1.9.13, 1.10.6, and 1.11.1. - Boundary up to 0.7.1; fixed in 0.7.2. - Waypoint up to 0.6.2; fixed in 0.6.3. **Publication Date:** December 22, 2021 **Summary** A denial of service vulnerability was reported in Golang’s `net/http` package. This vulnerability, CVE-2021-44716, was fixed in conjunction with another security issue in Go releases 1.16.12 and 1.17.5, and subsequently addressed with new releases of the affected HashiCorp products listed above. **Background** Vault, Consul, Boundary and Waypoint use Go’s [net/http](https://pkg.go.dev/net/http) server to serve their applications over the network, with Go automatically upgrading requests to HTTP/2 by default. The Go team [reported](https://groups.google.com/g/golang-announce/c/hcmEScgc00k) that an attacker may cause unbounded memory usage for Go `net/http` servers by crafting requests with unusually large request header sizes, potentially resulting in a denial of service. **Details** Assuming network-level access to the service in question, the vulnerability described above may be exploited by an unauthenticated attacker to cause denial of service. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading their HashiCorp products. Please refer to individual product documentation or release notes for product-specific guidance. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.*