PM - Hashicorp Consul Web UI and API access vulnerability

book

Article ID: 225615

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Tech Docs about this vulnerability suggests we need an upgrade to PM 20.2.8+ to solve this problem, however we cannot do a quick upgrade right now. In order to close this vulnerability we are planning to close the ports from all networks using ACL in Linux machine so would like to know the impact of closing these two ports 8500 and 8900 from all networks (including other components of PM) and whether this causes a problem or not:

DX NetOps - CAPM Vulnerability
https://knowledge.broadcom.com/external/article/211231/dx-netops-capm-vulnerability.html

Hashicorp Consul Vulnerabilities issue on CA PM 3.7
https://knowledge.broadcom.com/external/article/145187/hashicorp-consul-vulnerabilities-issue-o.html

Environment

PM 20.2.7

Resolution

- Port 8900 (PC) is used by capc-consul service and if the user cares about PC consul being on the external network/NAT, the capc-consul service can be disabled as it's not really being used.

- Port 8500 (DAProxy) is required for PC->DAProxy communication for System Status to work and also local scripts on each DA talk to localhost:8500 for interacting with web API so port 8500 shouldn't be touched. Instead it's recommended to use firewall rules to only allow localhost and PC->DAProxy IPs to talk on 8500 too. Also, we don't need port 8500 open on the 2 DAs, just DAProxy machine so PC can reach it.

Additional Information

The capc-consul service fails to run with error messages in Performance Center
https://knowledge.broadcom.com/external/article?articleId=185320