HCSEC-2023-02

**Bulletin ID:** HCSEC-2023-02 **Affected Products / Versions:** * Vault and Vault Enterprise up to 1.10.9, 1.11.6, 1.12.2; fixed in 1.10.10, 1.11.7, 1.12.3. * Consul and Consul Enterprise up to 1.12.7, 1.13.4, 1.14.2; fixed in 1.12.8, 1.13.5, 1.14.3. * Boundary up to 0.11.1; fixed in 0.11.2. * Waypoint up to 0.10.4; fixed in 0.10.5. **Publication Date:** February 7, 2023 **Summary** A denial of service vulnerability was reported in Golang’s `net/http` package. This vulnerability, CVE-2022-41717, was fixed in conjunction with another security issue in Go releases 1.18.9 and 1.19.4, and subsequently addressed with new releases of the affected HashiCorp products listed above. **Background** Vault, Consul, Boundary and Waypoint use Go’s [`net/http`](https://pkg.go.dev/net/http) server to serve their applications over the network, with Go automatically upgrading requests to HTTP/2 by default. **Details** The Golang team [reported](https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU) that an attacker may cause excessive memory usage for Go `net/http` servers by crafting requests with unusually large request header sizes, potentially resulting in a denial of service. Assuming network-level access to the service in question, the vulnerability described above may be exploited by an unauthenticated attacker to cause denial of service. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading their HashiCorp products. Please refer to individual product documentation or release notes for product-specific guidance. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*