A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
--
This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
* website: purge existing directory
* website: bulk update from master with changes specific to the upcoming 1.9 release excluded
* test: revert envoy_version to 1.14.2 for existing-ca-path golden file
Kyle Havlovitz
Freddy
Matt Keeler
Mike Morris
Jeff Escalante