Nomad 0.12.6, Nomad 0.11.5, and Nomad 0.10.6 were released with an important security fix:
CVE-2020-27195 Nomad File Sandbox Escape via Template and Artifact Stanzas
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a specially crafted Nomad jobspec can be used to escape the client file sandbox configuration. This vulnerability affects version 0.9.0 up to 0.12.5, and is fixed in the 0.12.6, 0.11.5, and 0.10.6 releases.
Nomad utilizes the client filesystem to persistently store any required task artifacts or templates on disk. Custom artifacts (files) can be retrieved from various sources including the host client’s filesystem when configured.
Issues were discovered affecting Nomad’s file sandbox features using either the template or artifact stanzas. This can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to subvert the disable_file_sandbox configuration on the Nomad client.
Nomad 1.0 beta
The remediation for this issue will also be included in the upcoming Nomad 1.0 beta.
Links:
Changelog - https://github.com/hashicorp/nomad/blob/master/CHANGELOG.md
Binaries - https://releases.hashicorp.com/nomad/0.12.6/
Thanks,
The Nomad Team