Bulletin ID: HCSEC-2024-15
Affected Products / Versions: Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1; fixed in Nomad Enterprise 1.6.13, 1.7.10, 1.8.2.
Publication Date: July 22, 2024
Summary
HashiCorp Nomad and Nomad Enterprise 1.6.12 up to 1.7.9, and 1.8.1 archive unpacking during migration is vulnerable to path escaping of the allocation directory. This vulnerability, CVE-2024-6717, is fixed in Nomad 1.6.13, 1.7.10, and 1.8.2.
Background
Nomad creates a working directory for each allocation on a client. The allocation working directory is where Nomad creates task directories and directories shared between tasks, writes logs for tasks, and downloads artifacts or templates. The artifact block instructs Nomad to fetch and unpack a remote resource. If these artifacts are archived (zip, tgz, bz2, xz), they are automatically unarchived before starting the task.
Details
Internal testing by the Product Security and Nomad R&D team identified that stream allocation directories did not properly restrict paths during unpacking, allowing malicious actors to craft an archive that would unpack to paths outside of the intended allocation directory.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.13, 1.7.10, 1.8.2 or newer.
Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.
Acknowledgement
This issue was identified by HashiCorp’s Product Security and Nomad R&D teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.