Bulletin ID: HCSEC-2020-08
Affected Products / Versions: Previous versions of Nomad and Nomad Enterprise; fixed in 0.10.5.
Publication Date: 24 March, 2020
Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that files from a malicious workload could cause arbitrary JavaScript to execute in the web UI. This vulnerability, CVE-2020-10944, affects all Nomad versions since 0.3 and is fixed in the 0.10.5 release.
Background
The files within workloads can be accessed from the Nomad API or UI to enable operators to inspect the filesystem of their running allocations.
Details
An internal security review identified a vulnerability such that it was possible to inject JavaScript from a malicious workload in the cluster. When this file is viewed in its raw form from the API or UI, this will execute in the browser.
Remediation
Customers should upgrade to Nomad or Nomad Enterprise 0.10.5, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by the HashiCorp security team.
We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.