CVE-2022-40716: 
Consul vulnerability analysis and mitigation

HashiCorp Consul and Consul Enterprise versions up to 1.11.8, 1.12.4, and 1.13.1 were found to contain a security vulnerability identified as CVE-2022-40716. The vulnerability was discovered during internal testing and publicly disclosed on September 21, 2022. The issue involves the internal RPC endpoint not properly checking for multiple SAN URI values in Certificate Signing Requests (CSRs) (HashiCorp Advisory).

The vulnerability stems from a failure to validate multiple SAN URI values in Certificate Signing Requests on the internal RPC endpoint. The issue has been assigned a CVSS v3.1 score of 6.5 (Medium), with attack vector parameters of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-252 (NVD).

If exploited, this vulnerability could enable an attacker to bypass Consul service mesh intentions, potentially compromising the security boundaries between services. The impact is particularly significant when an attacker has access to a client agent's mTLS certificate and possesses a valid ACL token for any service within the mesh (HashiCorp Advisory).

The vulnerability has been fixed in Consul versions 1.11.9, 1.12.5, and 1.13.2. HashiCorp recommends that administrators upgrade to these or newer versions. Additionally, administrators should ensure proper protection of client agent configuration secrets, including mTLS certificates, gossip keys, and ACL tokens (HashiCorp Advisory).