Nomad 1.0.3 and Nomad 0.12.10 were released with an important security fix:
CVE-2021-3283 Nomad exec and java tasks do not run in isolated PID/IPC namespaces
A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) wherein processes launched by exec-based task drivers (i.e., exec and java) are not isolated into new PID and IPC namespaces. As a result, they have visibility into other processes. Specifically, they can view the environment and filesystem for other processes running as the same user (default: nobody), including secrets and Vault tokens. This affects all known versions of Nomad. The patch applies to Nomad clients running the exec or java task drivers on Linux. Third-party driver plugins that use the shared library code may be similarly affected.
This issue is identified publicly as CVE-2021-3283.
Remediation:
Users should upgrade clients to Nomad or Nomad Enterprise 1.0.3, 0.12.10, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Links:
Changelog - https://github.com/hashicorp/nomad/blob/v1.0.3/CHANGELOG.md
Binaries - Nomad v1.0.3 Binaries | HashiCorp Releases