Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected #15013

Closed
tgross opened this issue Oct 21, 2022 · 2 comments
Closed

Nomad Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected #15013

tgross opened this issue Oct 21, 2022 · 2 comments
Assignees
@jrasell
Labels
theme/security type/bug
Milestone
1.4.2

Comments

@tgross
Copy link
Member

tgross commented Oct 21, 2022
edited
Loading

Bulletin ID: HCSEC-2022-26
Bulletin Title: Nomad Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected

Publication Date: October 27, 2022

Affected Products / Versions: Nomad and Nomad Enterprise 1.4.0 up to 1.4.1; fixed in 1.4.2.

Summary:
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that an event stream subscriber using an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This vulnerability, with CVE assignment pending, was fixed in Nomad 1.4.2.

Background:
Nomad’s event stream provides a way to subscribe to Job, Allocation, Evaluation, Deployment, and Node changes in near real time. Whenever a state change occurs in Nomad's Finite State Machine (FSM) a set of events for each updated object are created.

Details:
During internal testing it was observed that an ACL token with an expiry TTL set would continue to receive events until the token was garbage collected. This behavior may be used by a malicious operator or third party with authenticated access to continue to receive events beyond the time limit their token should be allowed to.

Nomad’s ACL token TTL verification logic has been modified to authorize the subscriber’s ACL token before sending each event down the stream.

Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.2, or newer.

See Nomad’s Upgrading for general guidance on this process.

Acknowledgement:
This issue was identified internally by the Nomad engineering team.

Additional content required for disclosure:

CVE Description:
HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.

CHANGELOG Entry:
n/a
@tgross tgross added this to the 1.4.2 milestone Oct 21, 2022
@tgross tgross changed the title (placeholder) Nomad Event Stream Subscriber Using ACL Token with TTL Receive Updates Until Garbage Collected Oct 27, 2022
@tgross
Copy link
Member Author

tgross commented Oct 27, 2022

A request for CVE ID has been issued and this issue will be updated once that's available.

@tgross tgross closed this as completed Oct 27, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 25, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jrasell jrasell

Labels
theme/security type/bug
Projects
None yet
Milestone
1.4.2
Development

No branches or pull requests
2 participants
@tgross @jrasell