Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nomad Caller ACL Token's Secret ID is Exposed to Sentinel #17907

Closed
tgross opened this issue Jul 11, 2023 · 0 comments
Closed

Nomad Caller ACL Token's Secret ID is Exposed to Sentinel #17907

tgross opened this issue Jul 11, 2023 · 0 comments
Labels
theme/security type/bug
Milestone
1.6.0

Comments

@tgross
Copy link
Member

tgross commented Jul 11, 2023
edited
Loading

Affected Products / Versions: Nomad and Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10; fixed in 1.6.0, 1.5.7, and 1.4.11.

Summary:
A vulnerability was identified in Nomad Enterprise (“Nomad”) such that the API caller’s ACL token secret ID is exposed to sentinel policies. This vulnerability, CVE-2023-3299, affects Nomad from 1.2.11 up to 1.5.6, and 1.4.10 and was fixed in 1.6.0, 1.5.7, and 1.4.11.

Background:
Nomad provides an expressive policy-as-code system called Sentinel which can be used by administrators to enforce criteria for jobs submitted to a cluster. Authoring or enforcing these Sentinel policies in a cluster requires management-level (administrative) privileges.

Details:
Internal testing by the Nomad engineering team identified that Sentinel policies could access a caller’s ACL token secret ID, which is not strictly required to enforce policies.

This can allow a poorly specified policy to access the token's secret ID and risk leaking it to command and API output if printed. This requires a management token to submit a Sentinel policy to a Nomad cluster and the policy must read the secret from the token explicitly (as nomad_acl_token.secret_id).

More requirements and recommendations for a secure Nomad deployment can be found in the security model.

Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.6.0, 1.5.7, and 1.4.11, or newer.

See Nomad’s Upgrading for general guidance on this process.
@tgross tgross added this to the 1.6.0 milestone Jul 11, 2023
@EtienneBruines EtienneBruines mentioned this issue Jul 19, 2023
Merged
12 tasks
@tgross tgross changed the title (placeholder) Nomad Caller ACL Token's Secret ID is Exposed to Sentinel Jul 19, 2023
@tgross tgross closed this as completed Jul 19, 2023
EtienneBruines added a commit to EtienneBruines/nixpkgs that referenced this issue Jul 20, 2023
@EtienneBruines
nomad_1_5: 1.5.6 -> 1.5.7
d345dda 
https://github.com/hashicorp/nomad/releases/tag/v1.5.7

CVE notes from upstream:

acl: Fixed a bug where a namespace ACL policy without label was applied to an unexpected namespace. CVE-2023-3072 [hashicorp/nomad#17908]
search: Fixed a bug where ACL did not filter plugin and variable names in search endpoint. CVE-2023-3300 [hashicorp/nomad#17906]
sentinel (Enterprise): Fixed a bug where ACL tokens could be exfiltrated via Sentinel logs CVE-2023-3299 [hashicorp/nomad#17907]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/security type/bug
Projects
None yet
Milestone
1.6.0
Development

No branches or pull requests
1 participant
@tgross