CVE-2019-16742: Nomad ACL Checks Bypass Namespace Restriction on Allocation Endpoints

[notnoop]

After an internal investigation, we discovered that allocation endpoints do not correctly check the namespace and allow a user to bypass namespace checking if they know the allocation ID and have permissions for another namespace. This vulnerability affects Nomad Enterprise versions since 0.8.0.

This document outlines details about this vulnerability and describes steps for remediation.

Please note that this is a customer notification, and that HashiCorp will make similar content public in release notes and with a notification sent to our public mailing list.

Background

When determining whether an authenticated user request has access to an allocation, the user’s ACL token is checked against the request’s namespace instead of the allocation’s namespace. This means a user with allocation capabilities (e.g., “read-fs”) to one namespace (e.g., “staging”), effectively has that capability for all allocations in any namespace.

Users must know the allocation IDs they wish to access as the /v1/allocations endpoint is filtered by namespace. However, allocation IDs are not considered sensitive and exposed in metrics APIs and logs, and are generally considered discoverable by operators.

This vulnerability constitutes an unintentional bypass of authorization, and Nomad 0.9.6 will correctly check the allocation namespace in all requests.

Remediation

Operators should upgrade Nomad clients and servers to 0.9.6 to patch this vulnerability.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.