HCSEC-2023-09 - Nomad ACLs Can Not Deny Access to Workload's Own Variables

Bulletin ID: HCSEC-2023-09
Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.5.0; fixed in 1.4.6 and 1.5.1.
Publication Date: March 13, 2023

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.

Nomad 1.4.0 introduced the variables feature, and a new workload identity feature so that tasks can access their own variables without needing to create and pass a Nomad ACL token.

An OSS user reported an unexpected behavior where adding a policy with a deny capability did not deny access to a variable, which was confirmed with internal investigation.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.6, 1.5.1, or newer. See Nomad’s Upgrading for general guidance on this process.

This issue was identified by the HashiCorp OSS community.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.