CVE-2021-43415: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad and Nomad Enterprise up to versions 1.0.13, 1.1.7, and 1.2.0, with the QEMU task driver enabled, allowed authenticated users with job submission capabilities to bypass the configured allowed image paths. The vulnerability was discovered and disclosed on November 22, 2021, and was assigned identifier CVE-2021-43415. The issue was fixed in versions 1.0.14, 1.1.8, and 1.2.1 (HashiCorp Discussion).

The vulnerability allowed a Nomad job using the QEMU task driver to bypass intended restrictions on the source of the image on the host by exploiting QEMU's -drive CLI flag as an argument in the submitted job. The QEMU task driver's args functionality could potentially facilitate further access to resources on the host. To address this, Nomad's QEMU task driver configuration logic was modified to provide operators with increased control over access to host resources by restricting the QEMU CLI flags available to job submitters through a new args_allowlist option (HashiCorp Discussion).

The vulnerability allowed authenticated users with job submission capabilities to bypass the configured allowed paths for images in the QEMU task driver. This could potentially lead to unauthorized access to the underlying host filesystem and resources (HashiCorp Discussion).

Organizations should upgrade to Nomad or Nomad Enterprise versions 1.0.14, 1.1.8, 1.2.1, or newer. After upgrading, operators need to configure client agents with the new argsallowlist option, permitting only necessary QEMU CLI flags. Alternatively, the QEMU task driver can be disabled entirely using the plugin configuration. For example, the argsallowlist can be configured as: plugin 'qemu' { config { imagepaths = ["/mnt/image/paths"] argsallowlist = ["-drive", "-usbdevice"] } } (HashiCorp Discussion).