CVE-2022-29153

Vulnerability

HashiCorp Consul and Consul Enterprise up to versions 1.9.16, 1.10.9, and 1.11.4 contain a server-side request forgery (SSRF) vulnerability in the HTTP health check functionality. When a Consul client agent performs an HTTP health check against an endpoint that returns an HTTP redirect, the agent follows the redirect, potentially sending requests to arbitrary internal or external hosts. This behavior is exploitable when health checks are defined by parties across trust boundaries, such as in multi-tenant environments [2][4].

Exploitation

An attacker must be able to define or influence an HTTP health check endpoint that returns a redirect. In multi-tenant deployments, a user with permission to register health checks can configure a check pointing to an attacker-controlled server. When the Consul agent executes the health check, the attacker's server responds with an HTTP redirect (e.g., 301 or 302) to an internal service (e.g., http://internal-service:8500). The agent follows the redirect, effectively acting as a proxy and enabling SSRF [4].

Impact

Successful exploitation allows the attacker to perform server-side request forgery from the perspective of the Consul client agent. This can bypass network isolation and access internal services that are not intended to be exposed, potentially leading to information disclosure, further lateral movement, or compromise of internal systems [2][4].

Mitigation

The vulnerability is fixed in Consul and Consul Enterprise versions 1.9.17, 1.10.10, and 1.11.5. Users should upgrade to these versions or later. Additionally, a new configuration option disable_redirects has been introduced for HTTP health checks; setting it to true prevents the agent from following redirects. The default remains false in the fixed versions, but HashiCorp plans to change the default to true in a future release [4].