CVE-2022-40716 is a medium-severity vulnerability affecting HashiCorp Consul and Consul Enterprise versions up to 1.11.8, 1.12.4, and 1.13.1. The vulnerability arises because these versions do not properly validate multiple Subject Alternative Name (SAN) URI values in a Certificate Signing Request (CSR) on the internal RPC endpoint. This flaw allows an attacker with privileged access to the RPC interface to bypass service mesh intentions, which are security policies designed to control service-to-service communication within the mesh. Specifically, the failure to check multiple SAN URIs enables an attacker to craft a CSR that can circumvent these intentions, potentially allowing unauthorized service communication or privilege escalation within the service mesh environment. The vulnerability does not affect confidentiality directly but impacts the integrity of service mesh policies, potentially allowing unauthorized actions. The issue was fixed in versions 1.11.9, 1.12.5, and 1.13.2. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting integrity without affecting confidentiality or availability. No known exploits are reported in the wild as of the publication date.

For European organizations leveraging HashiCorp Consul for service mesh and service discovery, this vulnerability poses a risk to the integrity of their internal service communication policies. An attacker with privileged RPC access could bypass service mesh intentions, potentially allowing unauthorized lateral movement, privilege escalation, or unauthorized service interactions. This could lead to compromised internal application logic, data manipulation, or disruption of secure service communication. Given the increasing adoption of microservices and service mesh architectures in European enterprises, especially in sectors like finance, telecommunications, and critical infrastructure, exploitation could undermine trust boundaries and security controls within internal networks. Although the vulnerability does not directly expose confidential data or cause denial of service, the ability to bypass service mesh policies can facilitate further attacks or data breaches. Organizations with strict regulatory requirements under GDPR and other data protection laws must consider the risk of unauthorized data access or processing resulting from such bypasses.

European organizations should immediately assess their HashiCorp Consul deployments and upgrade to the fixed versions 1.11.9, 1.12.5, or 1.13.2 or later. Beyond patching, organizations should audit and restrict RPC endpoint access to trusted administrators and services only, employing network segmentation and strict access controls. Implementing mutual TLS authentication and monitoring RPC traffic for anomalous CSR requests can help detect exploitation attempts. Additionally, reviewing and tightening service mesh intentions and policies to minimize privilege scope can reduce the impact of potential bypasses. Organizations should also integrate vulnerability scanning and configuration management tools to detect vulnerable Consul versions and enforce patch compliance. Finally, incident response plans should include scenarios involving service mesh policy bypass to ensure rapid detection and containment.