CVE-2023-3072: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad and Nomad Enterprise versions 0.7.0 up to 1.5.6 and 1.4.10 contain a vulnerability where ACL policies using a block without a label generates unexpected results. The vulnerability, identified as CVE-2023-3072, was discovered internally by the Nomad engineering team and has been fixed in versions 1.6.0, 1.5.7, and 1.4.11 (HashiCorp Advisory).

The vulnerability stems from a flaw in the ACL policy system used for HTTP API authorization. When policies that expect a label are created without specifying one, they may be applied to unexpected resources. For example, a namespace policy block without a label could be unexpectedly applied to a namespace called 'policy'. The issue has been assigned a CVSS v3.1 base score of 3.8 (LOW) by NVD with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N, while HashiCorp assessed it with a score of 4.1 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L (NVD).

This vulnerability could lead cluster administrators to inadvertently create policies that allow access to unintended resources. For namespace policies in particular, the documentation incorrectly stated that policies without labels would only apply to the default namespace (HashiCorp Advisory).

Users are advised to upgrade to Nomad versions 1.6.0, 1.5.7, or 1.4.11 or newer to address this vulnerability. HashiCorp recommends evaluating the risk associated with this issue and following their general upgrade guidance as outlined in Nomad's Upgrading documentation (HashiCorp Advisory).