CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables #16349

tgross · 2023-03-06T18:06:43Z

Summary:

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.

Background:

Nomad 1.4.0 introduced the variables feature, and a new workload identity feature so that tasks can access their own variables without needing to create and pass a Nomad ACL token.

Details:

An OSS user reported an unexpected behavior where adding a policy with a deny capability did not deny access to a variable.

Remediation:

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.4.6, 1.5.1, or newer.

tgross added the type/bug label Mar 6, 2023

tgross modified the milestones: 1.5.x, 1.5.1 Mar 6, 2023

tgross self-assigned this Mar 6, 2023

tgross added the theme/security label Mar 13, 2023

tgross changed the title ~~(placeholder)~~ CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables Mar 13, 2023

tgross closed this as completed Mar 13, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables #16349

CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables #16349

tgross commented Mar 6, 2023 •

edited

Loading

CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables #16349

CVE-2023-1296 Nomad ACLs Can Not Deny Access to Workload's Own Variables #16349

Comments

tgross commented Mar 6, 2023 • edited Loading

Summary:

Background:

Details:

Remediation:

tgross commented Mar 6, 2023 •

edited

Loading