HCSEC-2021-01- Nomad’s Exec and Java Task Drivers Did Not Isolate Processes

Bulletin ID: HCSEC-2021-01
Affected Products / Versions: Nomad and Nomad Enterprise, all prior versions; fixed in 0.12.10 and 1.0.3.
Publication Date: 29 January, 2021

Summary
Nomad and Nomad Enterprise (“Nomad”) exec and java task drivers may allow a malicious task to access information regarding processes associated with other tasks on the same node. This vulnerability, CVE-2021-3283, affects all prior Nomad versions and is fixed in the 0.12.10 and 1.0.3 releases.

Background
Nomad’s task drivers implement isolation using mechanisms provided by the Linux kernel. These task drivers can be used to run workloads inside an isolated environment on Nomad client nodes when enabled.

Details
It was discovered that the isolation mechanisms within Nomad’s exec and java task drivers did not effectively isolate processes. This allowed a malicious Nomad task to access information regarding processes associated with other tasks on the same node, including potentially-sensitive command lines and environment variables.

To mitigate this issue, Nomad now implements PID and IPC namespacing for the exec and java task drivers.

Note that Nomad’s docker task driver is not affected by this issue. Third-party task drivers using the shared library for the exec and java drivers may be exposed.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 0.12.10, 1.0.3, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Alternatively, disabling the exec and java drivers is sufficient to prevent this vulnerability.

Acknowledgement
This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to discover and disclose security vulnerabilities responsibly. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.