bridge networking mode allows ARP spoofing

[shoenig]

A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) wherein processes launched by the docker, exec, and java task drivers that make use of Nomad's bridge networking mode can perform ARP spoofing attacks against other tasks on the same node. Specifically, tasks making use of bridge networking are susceptible to other tasks on the same node performing DoS and MITM attacks due to the default enablement of the CAP_NET_RAW Linux capability by these task drivers. This affects all known versions of Nomad. The patch applies to Nomad clients running docker, exec, or java task drivers on Linux with tasks making use of bridge networking mode. Third-party driver plugins that use the shared library code may be similarly affected.

The issue is identified publicly as CVE-2021-32575.

The implemented fix is to no longer enable CAP_NET_RAW by default. Note that this will cause applications which make use of ICMP packets no longer work (e.g. ping). Previous behavior can be restored by setting allow_caps on the docker task driver. A future version of Nomad will implement the same allow_caps configuration for the exec and java task drivers.

[shoenig]

Fixed by #10572

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.