Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad ACL Policies without Label are Applied to Unexpected Resources #17908

Closed
tgross opened this issue Jul 11, 2023 · 0 comments
Closed

Nomad ACL Policies without Label are Applied to Unexpected Resources #17908

tgross opened this issue Jul 11, 2023 · 0 comments
Labels
theme/security type/bug
Milestone
1.6.0

Comments

@tgross
Copy link
Member

tgross commented Jul 11, 2023
edited
Loading

Affected Products / Versions: Nomad and Nomad Enterprise 0.7 up to 1.5.6 and 1.4.10; fixed in 1.6.0, 1.5.7, and 1.4.11.

Summary:
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such an ACL policy using a block without label generates unexpected results. This vulnerability, CVE-2023-3072, affects Nomad from 0.7 up to 1.5.6 and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Background:
Nomad provides an ACL policy system to enable authorization for the HTTP API. Administrators author ACL policies using HCL syntax and apply these policies to the cluster. Users present an ACL token linked to specific policies to the HTTP API when using the CLI or UI.

Details:
Internal testing by the Nomad engineering team identified that policies that expect a label, but don't specify one, can be applied to unexpected resources. For example, the policy below is applied to a namespace called policy.

namespace {
  policy = "read"
}

This can lead cluster administrators to create policies that allow access to unintended resources. For namespace in particular, the Nomad documentation explicitly states that this is a supported use-case and that the policy is applied to the default namespace.

More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.
@tgross tgross added this to the 1.6.0 milestone Jul 11, 2023
@EtienneBruines EtienneBruines mentioned this issue Jul 19, 2023
Merged
12 tasks
@tgross tgross changed the title (placeholder) Nomad ACL Policies without Label are Applied to Unexpected Resources Jul 19, 2023
@tgross tgross closed this as completed Jul 19, 2023
EtienneBruines added a commit to EtienneBruines/nixpkgs that referenced this issue Jul 20, 2023
@EtienneBruines
nomad_1_5: 1.5.6 -> 1.5.7
71e5713 
https://github.com/hashicorp/nomad/releases/tag/v1.5.7

CVE notes from upstream:

acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [hashicorp/nomad#17908]
search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [hashicorp/nomad#17906]
sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [hashicorp/nomad#17907]
EtienneBruines added a commit to EtienneBruines/nixpkgs that referenced this issue Jul 20, 2023
@EtienneBruines
nomad_1_5: 1.5.6 -> 1.5.7
d345dda 
https://github.com/hashicorp/nomad/releases/tag/v1.5.7

CVE notes from upstream:

acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [hashicorp/nomad#17908]
search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [hashicorp/nomad#17906]
sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [hashicorp/nomad#17907]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/security type/bug
Projects
None yet
Milestone
1.6.0
Development

No branches or pull requests
1 participant
@tgross