CVE-2023-3299: 
Nomad vulnerability analysis and mitigation

HashiCorp Nomad Enterprise versions 1.2.11 up to 1.5.6, and 1.4.10 contain a vulnerability (CVE-2023-3299) where ACL policies using a block without a label generates unexpected results. The vulnerability was discovered through internal testing by the Nomad engineering team and was disclosed on July 19, 2023. The issue has been fixed in versions 1.6.0, 1.5.7, and 1.4.11 (HashiCorp Advisory).

The vulnerability exists in Nomad Enterprise's Sentinel policy-as-code system, which is used by administrators to enforce criteria for jobs submitted to a cluster. The issue allows Sentinel policies to access a caller's ACL token secret ID, which is not required for policy enforcement. The vulnerability has been assigned a CVSS v3.1 base score of 2.7 (LOW) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-201 (Insertion of Sensitive Information Into Sent Data) (NVD).

If exploited, this vulnerability could allow a poorly specified policy to access the token's secret ID and potentially leak it to command and API output if printed. The impact is limited as exploitation requires a management token to submit a Sentinel policy to a Nomad cluster, with the policy explicitly reading the secret from the token as nomadacltoken.secret_id (HashiCorp Advisory).

HashiCorp recommends that customers evaluate their risk and upgrade to Nomad Enterprise versions 1.6.0, 1.5.7, or 1.4.11 or newer. General guidance for the upgrade process can be found in Nomad's Upgrading documentation. Users should also review and implement the security model recommendations for a secure Nomad deployment (HashiCorp Advisory).