Nomad 1.0.3 and Nomad 0.12.10 were released with an important security fix:
java tasks do not run in isolated PID/IPC namespaces
A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) wherein processes launched by exec-based task drivers (i.e.,
java) are not isolated into new PID and IPC namespaces. As a result, they have visibility into other processes. Specifically, they can view the environment and filesystem for other processes running as the same user (default:
nobody), including secrets and Vault tokens. This affects all known versions of Nomad. The patch applies to Nomad clients running the
java task drivers on Linux. Third-party driver plugins that use the shared library code may be similarly affected.
This issue is identified publicly as CVE-2021-3283.