Description
After an internal investigation, we discovered that allocation endpoints do not correctly check the namespace and allow a user to bypass namespace checking if they know the allocation ID and have permissions for another namespace. This vulnerability affects Nomad Enterprise versions since 0.8.0.
This document outlines details about this vulnerability and describes steps for remediation.
Please note that this is a customer notification, and that HashiCorp will make similar content public in release notes and with a notification sent to our public mailing list.
Background
When determining whether an authenticated user request has access to an allocation, the user’s ACL token is checked against the request’s namespace instead of the allocation’s namespace. This means a user with allocation capabilities (e.g., “read-fs”) to one namespace (e.g., “staging”), effectively has that capability for all allocations in any namespace.
Users must know the allocation IDs they wish to access as the /v1/allocations endpoint is filtered by namespace. However, allocation IDs are not considered sensitive and exposed in metrics APIs and logs, and are generally considered discoverable by operators.
This vulnerability constitutes an unintentional bypass of authorization, and Nomad 0.9.6 will correctly check the allocation namespace in all requests.
Remediation
Operators should upgrade Nomad clients and servers to 0.9.6 to patch this vulnerability.