HCSEC-2023-20 - Nomad ACL Policies without Label are Applied to Unexpected Resources

Bulletin ID: HCSEC-2023-20
Affected Products / Versions: Nomad and Nomad Enterprise 0.7 up to 1.5.6 and 1.4.10; fixed in 1.6.0, 1.5.7, and 1.4.11.
Publication Date: July 19, 2023

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such an ACL policy using a block without label may be applied to unexpected resources. This vulnerability, CVE-2023-3072, affects Nomad from 0.7 up to 1.5.6 and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Nomad provides an ACL policy system to enable authorization for the HTTP API. Administrators author ACL policies using HCL syntax and apply these policies to the cluster. Labels may be used to define the Nomad resources that specific policy blocks are applied to.

Internal testing by the Nomad engineering team identified that policies that expect a label, but don’t specify one, may be applied to unexpected resources.

For example, the policy below is unexpectedly applied to a namespace called policy.

namespace {
  policy = "read"

This may lead cluster administrators to create policies that allow access to unintended resources. For namespace in particular, the Nomad documentation explicitly states that this is a supported use-case and that the policy is applied to the default namespace.

More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.

This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.