Tech Docs about this vulnerability suggests we need an upgrade to PM 20.2.8+ to solve this problem, however we cannot do a quick upgrade right now. In order to close this vulnerability we are planning to close the ports from all networks using ACL in Linux machine so would like to know the impact of closing these two ports 8500 and 8900 from all networks (including other components of PM) and whether this causes a problem or not:
DX NetOps - CAPM Vulnerability
Hashicorp Consul Vulnerabilities issue on CA PM 3.7
- Port 8900 (PC) is used by capc-consul service and if the user cares about PC consul being on the external network/NAT, the capc-consul service can be disabled as it's not really being used.
- Port 8500 (DAProxy) is required for PC->DAProxy communication for System Status to work and also local scripts on each DA talk to localhost:8500 for interacting with web API so port 8500 shouldn't be touched. Instead it's recommended to use firewall rules to only allow localhost and PC->DAProxy IPs to talk on 8500 too. Also, we don't need port 8500 open on the 2 DAs, just DAProxy machine so PC can reach it.
The capc-consul service fails to run with error messages in Performance Center