Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-13250: Cache DoS / OOM #8023

Merged
merged 2 commits into from Jun 8, 2020

Conversation

hanshasselberg
Copy link
Member

@hanshasselberg hanshasselberg commented Jun 4, 2020

Summary

Consul’s DNS and HTTP API expose a caching feature susceptible to DoS.

Background

Consul v1.2.0 introduced an agent cache to ease management of proxy configuration on the agents, allowing caching in the HTTP API. Later v1.4.3 included the ability to turn on using the agent cache for DNS queries. While the cache has the ability to expire, or evict old entries, it does not have the ability to limit the cache’s size.

Remediation

Steps to remediate:

hanshasselberg and others added 2 commits June 4, 2020 23:00
This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
Co-authored-by: Matt Keeler <mkeeler@users.noreply.github.com>
@hanshasselberg hanshasselberg merged commit 72f92ae into hashicorp:master Jun 8, 2020
3 checks passed
@hanshasselberg hanshasselberg deleted the disable_http_cache branch June 8, 2020 08:08
hanshasselberg added a commit that referenced this pull request Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
hanshasselberg added a commit that referenced this pull request Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
hanshasselberg added a commit that referenced this pull request Jun 8, 2020
This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
@hanshasselberg hanshasselberg changed the title Option to disable agent cache for HTTP endpoints CVE-2020-13250: Cache DoS / OOM Jun 10, 2020
hanshasselberg added a commit that referenced this pull request Jun 10, 2020
This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
hanshasselberg added a commit that referenced this pull request Jun 10, 2020
* consul 1.7.4
* agent: add option to disable agent cache for HTTP endpoints (#8023)

This allows the operator to disable agent caching for the http endpoint.
It is on by default for backwards compatibility and if disabled will
ignore the url parameter `cached`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants