Bulletin ID: HCSEC-2023-09
Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.5.0; fixed in 1.4.6 and 1.5.1.
Publication Date: March 13, 2023
Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.
Background
Nomad 1.4.0 introduced the variables feature, and a new workload identity feature so that tasks can access their own variables without needing to create and pass a Nomad ACL token.
Details
An OSS user reported an unexpected behavior where adding a policy with a deny capability did not deny access to a variable, which was confirmed with internal investigation.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.6, 1.5.1, or newer. See Nomad’s Upgrading for general guidance on this process.
Acknowledgement
This issue was identified by the HashiCorp OSS community.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.