HCSEC-2022-25 - Nomad’s Workload Identity Token Can List Non-sensitive Metadata For nomad/ Paths

Bulletin ID: HCSEC-2022-25
Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.4.1; fixed in 1.4.2.
Publication Date: October 28, 2022

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.This vulnerability, CVE-2022-3866, was fixed in Nomad 1.4.2.

Nomad’s workload identity, introduced in Nomad 1.4, is a JWT signed by the leader’s keyring that is currently only used for template access to Variables, and not exposed outside of Nomad.

During internal testing it was observed that a workload identity token can be used to list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. The metadata consists only of the path (job/group/task name) and create/modify timestamps.

This behavior may be used by a malicious operator or third party with authenticated access to access non-sensitive information which may provide context they otherwise might not have. Nomad’s authorization logic has been modified to prevent this potential abuse scenario.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.2, or newer.

See Nomad’s Upgrading for general guidance on this process.

This issue was identified internally by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.