Bulletin ID: HCSEC-2022-26
Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.4.1; fixed in 1.4.2.
Publication Date: October 28, 2022
Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that an event stream subscriber using an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This vulnerability, CVE-2022-3867, was fixed in Nomad 1.4.2.
Background
Nomad’s event stream provides a way to subscribe to Job, Allocation, Evaluation, Deployment, and Node changes in near real time. Whenever a state change occurs in Nomad’s Finite State Machine (FSM) a set of events for each updated object are created.
Details
During internal testing it was observed that an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This behavior may be used by a malicious operator or third party with authenticated access to continue to receive events beyond the time limit their token should be allowed to.
Nomad’s ACL token TTL verification logic has been modified to authorize the subscriber’s ACL token before sending each event down the stream.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.2, or newer.
See Nomad’s Upgrading for general guidance on this process.
Acknowledgement
This issue was identified by the Nomad engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.