DX NetOps - CAPM Vulnerability

book

Article ID: 211231

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration

Issue/Introduction

Vulnerability: Hashicorp Consul Web UI and API access – Plugin ID: 111351
Severity: High

Cause

Port: 8900 / tcp / wwwDescription :

A remote, unauthenticated attacker may able to access Consul Web UI and API to gather data, register services and gain remote access.

Solution :

Only allow localhost connections, set up firewall and ACLs.See Also :

https://www.consul.io/docs/internals/security.html,

https://www.consul.io/api/acl.htmlOutput :

**********************************************************************
The following JSON formatted data was gathered from Consul Web API:

[{"ID":"c4a2db05-3825-ce71-67b0-afc5b8b37c58","Node":"dc2capc1","Address":"10.0.130.213","Datacenter":"capc","TaggedAddresses":{"lan":"10.0.130.213","wan":"10.0.130.213"},"Meta":{},"CreateIndex":2236448,"ModifyIndex":2243846}]


**********************************************************************
ACL policy:
ACL support disabled
*********************************************************************

Environment

Release : 3.7

Component : CA Performance Management Predictive Option

Resolution

In 20.2.8 we added ACL token support to Consul.  DA/proxy upgrade for 20.2.8+ will create an ACL token and store in <shareddir>/acl-token.properties.

The contents of that file must be used when accessing the web UI for consul.

 

To resolve this, upgrade to 20.2.8+.

 

NOTE: proxy MUST be upgraded before the 2 DAs.

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/20-2/release-notes/new-features-and-enhancements.html#concept.dita_5806523281a8322e06f017e69c5ad5abdff1da00_Enhancements