A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
--
This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
--
This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
Consul's Connect CA documentation mentions future releases will
support a pluggable CA system. This sentence has existed in the docs
for over two years, however there are currently no plans to develop
this feature on the near-term roadmap.
This commit removes this sentence to avoid giving the impression that
this feature will be available in an upcoming release.
* Add NIA Integration Program page
* Update name to Consul-Terraform-Sync and add Tech Preview tags
* Update diagram to include sequence numbers
* Remove Tech Preview tags and Update Images
* Add TF module naming convention, update image and links
* Add a note, update PANW link, and working updates
* Update URLs to local path
* Update the Azure cloud auto join documentation with more explicit information on how to configure the infrastructure.
* Add a note regarding the length of time taken for Azure to sync the MSI permissions.
* Update references from tag_name to tag_key in the Azure examples
Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com>
hashicorp-ci
freddygv
Freddy
Mike Morris
Kevin Pruett
Kim Ngo
James Light
R.B. Boyer
Blake Covarrubias
Jasmine W
Sabeen Syed
Kit Patella
lornasong
Iryna Shustava
Ricardo Oliveira
Jimmy Merritello
Matt Keeler
Luke Kysow
Chris Piraino
Jeff Escalante
Michael Ethridge
Daniel Nephin
Petrik van der Velde
Hans Hasselberg
Nicole Forrester
danielehc
Prabodh
Mike Wickett
Daniel Kimsey
Lowe Schmidt