Bulletin ID: HCSEC-2024-29
Affected Products / Versions:
Nomad Community Edition from 1.4.0 up to 1.9.3, fixed in 1.9.4.
Nomad Enterprise from 1.4.0 up to 1.9.3, 1.8.7, 1.7.15, fixed in 1.9.4, 1.8.8, and 1.7.16.
Publication Date: December 19, 2024
Summary
Nomad Community and Nomad Enterprise (“Nomad”) allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16.
Background
Every workload running in Nomad is given a default identity. When an allocation is accepted by the scheduler, the leader generates a Workload Identity for each task in the allocation. This workload identity is a JSON Web Token (JWT) that has been signed by the leader’s keyring. Additional workload identities may be defined in tasks and services using the identity block.
You can associate additional ACL policies with workload identities by passing the -job, -group, and -task flags to nomad acl policy apply. When Nomad resolves a workload identity claim, it will automatically include policies that match. If no matching policies exist, the workload identity does not have any additional capabilities.
Details
Accessing HashiCorp Nomad allocations through the Read Allocation API or alloc command includes a Workload Identity token which offers access to the workload-associated variables and service discovery. When combined with the workload associated with ACL policies, a user with namespace:read access can potentially escalate privileges and access additional policies for any workload within the namespace.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.4, 1.8.8, 1.7.16, or newer.
Please refer to Upgrading Nomad for general guidance and the Upgrade Guides for version-specific upgrade notes.
Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.