HashiCorp Consul and Consul Enterprise Event Endpoint Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the event endpoint of both Consul Community Edition and Consul Enterprise. This issue arises from the absence of a maximum limit on the Content-Length header, allowing attackers to send large payloads that could exhaust memory resources and disrupt service. The vulnerability affects Consul Community Edition versions prior to 1.21.5 and Consul Enterprise versions prior to 1.21.5, 1.20.7, 1.19.9, and 1.18.11. It has been fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8, and 1.18.12.

Impact

Exploitation of this vulnerability can lead to memory exhaustion, causing a denial-of-service condition where the system becomes unresponsive or unavailable.

Remediation

Users are advised to upgrade to Consul Community Edition 1.22.0 or Consul Enterprise 1.22.0, 1.21.6, 1.20.8, or 1.18.12. Consult Consul's upgrading documentation for guidance on the upgrade process.