HCSEC-2023-22 - Nomad Search API Leaks Information About CSI Plugins

Bulletin ID: HCSEC-2023-22
Affected Products / Versions: Nomad and Nomad Enterprise 0.11 up to 1.5.6 and 1.4.1; fixed in 1.6.0, 1.5.7, and 1.4.11.
Publication Date: July 19, 2023

Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability, CVE-2023-3300, affects Nomad since 0.11 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Background
Nomad provides a search HTTP API filtered by ACL policies so that unauthenticated users or users without the appropriate read/list permissions cannot search for objects they don’t have access to. HTTP endpoints are used both internally by Nomad, and externally by administrators or operators to interact with the cluster, and are also secured using mTLS.

Details
Internal testing by the Nomad engineering team identified it was possible to bypass intended ACL restrictions on the search API endpoint, which exposed only the names of CSI plugins configured in the cluster.

Nomad administrators should use mTLS for HTTP and RPC endpoints. More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.

Acknowledgement
This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.