PM - Hashicorp Consul Web UI and API access vulnerability
search cancel

PM - Hashicorp Consul Web UI and API access vulnerability


Article ID: 225615


Updated On:


CA Performance Management - Usage and Administration DX NetOps


Tech Docs about this vulnerability suggests we need an upgrade to PM 20.2.8+ to solve this problem, however, we cannot do a quick upgrade right now. To close this vulnerability we are planning to close the ports from all networks using ACL in Linux machines so would like to know the impact of closing these two ports 8500 and 8900 from all networks (including other components of DX NetOps Performance Management) and whether this causes a problem or not:

DX NetOps - CAPM Vulnerability

Hashicorp Consul Vulnerabilities issue on DX NetOps Performance management 3.7


DX NetOps Performance Management 20.2.7


- Port 8900 (NetOps Portal) is used by the capc-consul service and if the user cares about PC consul being on the external network/NAT, the capc-consul service can be disabled as it's not being used.

- Port 8500 (DAProxy) is required for NetOps Portal->DAProxy communication for System Status to work and also local scripts on each DA talk to localhost:8500 for interacting with web API so port 8500 shouldn't be touched. Instead, it's recommended to use firewall rules to only allow localhost and NetOps Portal->DAProxy IPs to talk on 8500 too. Also, we don't need port 8500 open on the 2 DAs, just the DAProxy machine so NetOps Portal can reach it.

Additional Information

The capc-consul service fails to run with error messages in NetOps Portal