Consul Server Panic when Ingress and API Gateways Configured with Peering

Vulnerability

CVE-2023-0845 is a denial-of-service vulnerability in HashiCorp Consul and Consul Enterprise versions 1.14.0 through 1.14.4 [1][3]. The underlying bug occurs in the xDS configuration handling for ingress and API gateways: when an authenticated user with service:write permissions configures upstream services that reference a peering destination, the resulting transpiled Envoy configuration triggers a panic in the Consul server or client agent hosting the xDS connection [3]. This panic causes the agent to crash reliably.

Exploitation

An attacker needs an ACL token with service:write permissions and at least one running ingress or API gateway that is configured to route traffic to an upstream service [3]. The attack does not require network-level access beyond being able to submit resource writes to the Consul API. The workflow is triggered by defining upstreams that target a peering destination, which causes an internal panic during the configuration transpilation process for Envoy [3].

Impact

Successful exploitation crashes the Consul server or client agent handling the xDS connection for that gateway [3]. This can disrupt service mesh operations, including service discovery, health checking, and traffic routing, effectively denying service to dependent applications. The crash affects both Consul server and client agents in the affected versions [3].

Mitigation

The vulnerability is fixed in Consul 1.14.5 (and later versions) [1][3]. HashiCorp has released updates for the affected open-source and enterprise products. Users are advised to upgrade to Consul 1.14.5 or later. There is no known workaround for versions prior to 1.14.5; access to service:write tokens should be closely controlled [3].