CVE-2023-0845: 
Consul vulnerability analysis and mitigation

A vulnerability was identified in Consul and Consul Enterprise (CVE-2023-0845) where an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. The vulnerability was discovered in March 2023 and affected Consul versions 1.14.0 up to 1.14.4, with a fix released in version 1.14.5 (HashiCorp Discuss).

The vulnerability occurs in Consul's cluster peering feature, which supports connections between independent clusters for service communication across partitions or datacenters. The issue specifically manifests when configuring upstreams to reference a peering destination in conjunction with API or ingress gateways. The vulnerability requires an attacker to have access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway configured to route traffic to an upstream service (HashiCorp Discuss).

When successfully exploited, this vulnerability can cause Consul server and client agents to crash, potentially leading to service disruption. The crash specifically affects the xDS connection to an API gateway or ingress gateway (HashiCorp Discuss).

The recommended mitigation is to upgrade to Consul version 1.14.5 or newer. Organizations should evaluate the risk associated with this issue and plan their upgrade accordingly (HashiCorp Discuss).