Nomad 0.12.8, Nomad 0.11.7, and Nomad 0.10.8 were released with an important security fix and a critical bug fix:
CVE-2020-28348 Nomad File Sandbox Escape via Container Volume Mount
A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) such that an operator with job submission capabilities can mount the host file system of a client agent and subvert the default Docker file sandbox feature when not explicitly disabled or when using a volume mount type. This vulnerability affects version 0.9.0 up to 0.12.7, and is fixed in the 0.12.8, 0.11.7, and 0.10.8 releases.
Nomad disables host filesystem access by default in 0.12.0 and above to prevent job operators from accessing the client filesystem used to persistently store any required data on disk. The Docker task driver provides a volume mount type which can be used to access the client host filesystem from within a container, but clients must be configured to enable mounting directories outside an allocation’s path to prevent abuse from unprivileged operators.
This issue is identified publicly as CVE-2020-28348.
Critical Bug During Upgrades from pre-0.9
A bug was identified in all versions of Nomad after 0.9.2. If a client agent is upgraded from a pre-0.9 version of Nomad to 0.9.2 or later; then all exec-based tasks (including exec, raw_exec, java, qemu) will fail to recover, will be leaked, and then Nomad will start another task. The leaked pre-0.9 task will run un-interrupted and unmanaged until the client dies or the task is killed manually.
Nomad 1.0 beta
The remediation for both issues will also be included in the upcoming Nomad 1.0 beta3.
Remediation:
Users should upgrade to Nomad or Nomad Enterprise 0.12.8, 0.11.7, 0.10.8, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Links:
Changelog - https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md#0128-november-10-2020
Binaries - https://releases.hashicorp.com/nomad/0.12.8/