Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job

Vulnerability

Overview

Nomad's Access Control List (ACL) system uses prefix-based policy lookups when associating policies with jobs. This mechanism can result in incorrect rule application and policy shadowing, where a newly created job with a carefully chosen prefix name may inadvertently inherit the ACL policies of an existing job [1]. For example, creating a job named test-job-2 could cause it to inherit policies intended for test-job, bypassing explicit policy configuration [3].

Exploitation

An attacker with sufficient privileges to create jobs can exploit this by crafting job names that share a prefix with a target job that has broader permissions. No additional authentication is required beyond the ability to submit a job with a name that collides during the prefix lookup. The attack does not require network access beyond the Nomad API endpoints [3].

Impact

Successful exploitation allows an attacker to run privileged jobs without having an appropriate ACL policy explicitly assigned to their token. This can lead to unauthorized access to sensitive data, modification of cluster state, or execution of actions normally restricted to higher-privileged roles [3].

Mitigation

HashiCorp has released fixes in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14. Users running affected versions (from 1.4.0 up to the fixed releases) should upgrade immediately to prevent exploitation [1][3].