CVE-2022-3867: 
Nomad vulnerability analysis and mitigation

A vulnerability was identified in HashiCorp's Nomad and Nomad Enterprise (versions 1.4.0 up to 1.4.1) where event stream subscribers using an ACL token with an expiry TTL would continue to receive events beyond their token's expiration until the token was garbage collected. The vulnerability was discovered through internal testing and was assigned CVE-2022-3867. The issue was fixed with the release of Nomad version 1.4.2 (HashiCorp Discuss).

The vulnerability affects Nomad's event stream functionality, which provides real-time updates for Job, Allocation, Evaluation, Deployment, and Node changes. The issue stems from improper ACL token TTL verification logic in the event stream system. When state changes occur in Nomad's Finite State Machine (FSM), events are created for each updated object, but the system failed to properly verify the ACL token's expiration before sending these events (HashiCorp Discuss).

The vulnerability could allow malicious operators or third parties with authenticated access to continue receiving event stream updates beyond their token's intended expiration time. This could potentially lead to unauthorized access to system state changes and sensitive information (HashiCorp Discuss).

The issue has been addressed in Nomad version 1.4.2 by modifying the ACL token TTL verification logic to authorize the subscriber's ACL token before sending each event down the stream. Users are advised to upgrade to Nomad 1.4.2 or newer versions to remediate this vulnerability (HashiCorp Discuss).