HCSEC-2020-21 - Nomad File Sandbox Escape via Template and Artifact Stanzas

Bulletin ID: HCSEC-2020-21
Affected Products / Versions: Nomad and Nomad Enterprise 0.9.0 through 0.12.5; fixed in 0.12.6, 0.11.5, and 0.10.6.
Publication Date: 21 October, 2020

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a specially crafted Nomad jobspec can be used to escape the client file sandbox configuration. This vulnerability, CVE-2020-27195, affects version 0.9.0 up to 0.12.5, and is fixed in the 0.12.6, 0.11.5, and 0.10.6 releases.

Nomad utilizes the client filesystem to persistently store any required task artifacts or templates on disk. Custom artifacts (files) can be retrieved from various sources including the host client’s filesystem when configured.

Issues were discovered affecting Nomad’s file sandbox features using either the template or artifact stanzas. This can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to subvert the disable_file_sandbox configuration on the Nomad client.

This issue is identified publicly as CVE-2020-27195.

Customers should upgrade to Nomad or Nomad Enterprise 0.12.6, 0.11.5, 0.10.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Issued referred to within this bulletin were identified by Tiernan Messmer and independently by the Nomad engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.