HCSEC-2022-02 - Nomad alloc Filesystem and Container Escape

Bulletin ID: HCSEC-2022-02
Affected Products / Versions: Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and 1.2.5; fixed in 1.0.18, 1.1.12, and 1.2.6.
Publication Date: February 10, 2022

Nomad and Nomad Enterprise (“Nomad”) allows operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root through the Nomad client agent. This vulnerability, CVE-2022-24683, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.

Nomad creates a directory on the host filesystem for any task in a job, called an allocation. This directory is the “allocation directory”, as documented in Nomad filesystem internals. It also provides an API to read files in the allocation directory given the operator has permissions to do so, granted with the read-fs capability.

During external testing, it was observed that a Nomad allocation in combination with the file system read API could be used to read arbitrary files on the host outside of the allocation directory.

Nomad’s path validation logic has been modified to prevent this attack.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.2.6, 1.1.12, and 1.0.18, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

This issue was identified during scheduled external security assessment.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.