file sandbox escape via container volume mount

[tgross]

CVE-2020-28348 Nomad File Sandbox Escape via Container Volume Mount

A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) such that an operator with job submission capabilities can mount the host file system of a client agent and subvert the default Docker file sandbox feature when not explicitly disabled or when using a volume mount type. This vulnerability affects version 0.9.0 up to 0.12.7, and is fixed in the 0.12.8, 0.11.7, and 0.10.8 releases.

Nomad disables host filesystem access by default in 0.12.0 and above to prevent job operators from accessing the client filesystem used to persistently store any required data on disk. The Docker task driver provides a volume mount type which can be used to access the client host filesystem from within a container, but clients must be configured to enable mounting directories outside an allocation’s path to prevent abuse from unprivileged operators.

This issue is identified publicly as CVE-2020-28348.

[shantanugadgil]

just curious, will there be a 1.0.0-beta3 for this as well? 😃

[tgross]

@shantanugadgil as noted in the release notes, this is in master and will ship in the next beta release.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.