Bulletin ID: HCSEC-2024-17
Affected Products / Versions: Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2; fixed in Nomad Enterprise 1.6.14, 1.7.11, 1.8.3.
Publication Date: August 14, 2024
Summary
In HashiCorp Nomad and Nomad Enterprise from 0.6.1 up to 1.6.13, 1.7.10, and 1.8.2, the archive unpacking process is vulnerable to writes outside the allocation directory during migration of allocation directories when multiple archive headers target the same file. This vulnerability, CVE-2024-7625, is fixed in Nomad 1.6.14, 1.7.11, and 1.8.3.
Access or compromise of the Nomad client agent at the source allocation first is a prerequisite for leveraging this vulnerability.
Background
Nomad creates a working directory for each allocation on a client. The allocation working directory is where Nomad creates task directories and directories shared between tasks, writes logs for tasks, and downloads artifacts or templates. The migrate block specifies the group’s strategy for migrating allocations from draining nodes used for cluster operations such as server maintenance, operating system upgrades, etc.
Details
Internal testing by the Product Security and Nomad R&D team identified that streaming allocation directories did not properly remove existing files in paths within the same allocation directory during unpacking, allowing malicious actors to craft an archive that would unpack a file to paths outside of the intended allocation directory.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.14, 1.7.11, 1.8.3 or newer.
Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.
Acknowledgement
This issue was identified by HashiCorp’s Product Security and Nomad R&D teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.