CVE-2021-32574

NameCVE-2021-32574
DescriptionHashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs991719

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
consul (PTS)buster1.0.7~dfsg1-5fixed
bookworm, bullseye, sid1.8.7+dfsg1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
consulsourcebuster(not affected)
consulsource(unstable)(unfixed)991719

Notes

[bullseye] - consul <no-dsa> (Minor issue)
[buster] - consul <not-affected> (Only affects 1.3.0 and later)
https://discuss.hashicorp.com/t/hcsec-2021-17-consul-s-envoy-tls-configuration-did-not-validate-destination-service-subject-alternative-names/26856
https://github.com/hashicorp/consul/pull/10619

Search for package or bug name: Reporting problems