Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/ #15012

Closed
tgross opened this issue Oct 21, 2022 · 2 comments
Closed

Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/ #15012

tgross opened this issue Oct 21, 2022 · 2 comments
Assignees
@tgross
Labels
theme/security type/bug
Milestone
1.4.2

Comments

@tgross
Copy link
Member

tgross commented Oct 21, 2022
edited
Loading

Bulletin ID: HCSEC-2022-25
Bulletin Title: Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/

Publication Date: October 27, 2022

Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.4.1; fixed in 1.4.2.

Summary:
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace.This vulnerability, with CVE assignment pending, was fixed in Nomad 1.4.2.

Background:
Nomad’s workload identity is a JWT signed by the leader's keyring that is currently only used for template access to Variables, and not exposed outside of Nomad.

Details:
During internal testing it was observed that a workload identity token can be used to list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. The metadata consists only of the path (job/group/task name) and create/modify timestamps.

This behavior may be used by a malicious operator or third party with authenticated access to access non-sensitive information which may provide context they otherwise might not have. Nomad’s authorization logic has been modified to prevent this potential abuse scenario.

Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.2, or newer.

See Nomad’s Upgrading for general guidance on this process.

Acknowledgement:
This issue was identified internally by the Nomad engineering team.

Additional content required for disclosure:

CVE Description:
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. Fixed in 1.4.2.

CHANGELOG Entry:
https://github.com/hashicorp/nomad/blob/v1.4.2/CHANGELOG.md#142-october-26-2022
@tgross tgross added this to the 1.4.2 milestone Oct 21, 2022
@tgross tgross self-assigned this Oct 21, 2022
@tgross tgross changed the title (placeholder) Nomad Workload Identity Token Can List Non-sensitive Metadata for Paths Under nomad/ Oct 27, 2022
@tgross
Copy link
Member Author

tgross commented Oct 27, 2022

A request for CVE ID has been issued and this issue will be updated once that's available.

@tgross tgross closed this as completed Oct 27, 2022
@jrasell jrasell mentioned this issue Nov 4, 2022
Closed
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@tgross tgross

Labels
theme/security type/bug
Projects
None yet
Milestone
1.4.2
Development

No branches or pull requests
1 participant
@tgross