CVE-2022-24683 Nomad alloc exec+fs Container Escape

[lgfa29]

Summary

Nomad and Nomad Enterprise (“Nomad”) allows operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root through the Nomad client agent. This vulnerability, CVE-2022-24683, was fixed in Nomad 1.0.17, 1.1.12, and 1.2.6.

Background

Nomad creates a directory on the host filesystem for any task in a job, called an allocation. This directory is the “allocation directory”. It also provides an API to read files in the allocation directory given the operator has permissions to do so, granted with the read-fs capability.

Details

During external testing, it was observed that a Nomad allocation in combination with the file system read API could be used to read arbitrary files on the host outside of the allocation directory. Nomad’s logging logic has been modified to no longer allow this attack.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.2.6, 1.1.12, and 1.0.18, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.