CVE-2022-3866: HashiCorp Nomad & Nomad Enterprise Workload Identity Token Vulnerability - Metadata Leaks of Other Jobs in the Same Namespace

CVE-2022-3866 is a vulnerability identified in HashiCorp Nomad and Nomad Enterprise, versions 1.4. up to (but not including) 1.4.2. This vulnerability allows unauthorized access to non-sensitive metadata for paths under "nomad/" that belong to other jobs in the same namespace. Attackers may potentially exploit this vulnerability to gather insights into other running tasks, which may lead to unintended information disclosure and escalate their privileges further. HashiCorp has released a patch for this vulnerability in version 1.4.2.

Exploit Details

The vulnerability resides in the handling of nomad/ paths by the workload identity token. In versions 1.4. to 1.4.1, an attacker with access to a workload identity token can list non-sensitive metadata for paths under nomad/ that belong to other jobs in the same namespace. This information could potentially be used by an attacker to gain unauthorized access to sensitive data related to other jobs within the same namespace.

Here is an example of the affected code

# In HashiCorp Nomad affected versions (1.4. - 1.4.1)
def validate_workload_identity_token(access_token, path):
    job_namespace = path.split('/')[1]
    token_job_namespace = get_job_namespace(access_token)
    if job_namespace == token_job_namespace:
        return True
    return False

This code shows that the validation of the workload identity token only checks if the job's namespace matches the token's namespace, allowing unauthorized access to non-sensitive metadata for other jobs in the same namespace.

Mitigation

Users are advised to upgrade HashiCorp Nomad and Nomad Enterprise to version 1.4.2, which includes a patch for this vulnerability. The issue is resolved by verifying the token's job ID against the job's ID for the requested path as well, thereby preventing access to metadata of tasks from other jobs within the same namespace.

Here is an example of the patched code

# In HashiCorp Nomad fixed version (1.4.2)
def validate_workload_identity_token(access_token, path):
    job_namespace, job_id = path.split('/')[1:3]
    token_job_namespace, token_job_id = get_job_namespace_and_id(access_token)
    if job_namespace == token_job_namespace and job_id == token_job_id:
        return True
    return False

This code snippet demonstrates the improved validation check by verifying both the namespace and the job ID when comparing the access token against the requested path.

Original References

- HashiCorp's announcement of CVE-2022-3866
- HashiCorp Nomad's GitHub repository
- Nomad Enterprise's product page

Conclusion

CVE-2022-3866 is a serious vulnerability that allows unauthorized access to non-sensitive metadata for paths under "nomad/" that belong to other jobs in the same namespace. Affected users should follow HashiCorp's recommendations and upgrade to version 1.4.2 as soon as possible.

Timeline

Published on: 11/10/2022 06:15:00 UTC
Last modified on: 11/15/2022 17:19:00 UTC