CVE-2021-36213

Name of the Vulnerable Software and Affected Versions HashiCorp Consul and Consul Enterprise versions 1.9.0 through 1.10.0

Description The issue arises when a default deny policy with a single L7 application-aware intention deny action is used, causing the intention to incorrectly fail open and allow L4 traffic. This occurs due to a situation generated by xds where a single L7 deny intention results in an allow action when a default deny policy is in place.

Recommendations For HashiCorp Consul and Consul Enterprise versions 1.9.0 through 1.9.7, update to version 1.9.8 to resolve the issue. For HashiCorp Consul and Consul Enterprise version 1.10.0, update to version 1.10.1 to resolve the issue.