Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN356

_____________________________________________________________________

DATE                : 12/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Nomad versions prior to
                                 1.10.2, 1.9.10, 1.8.14.

=====================================================================
https://discuss.hashicorp.com/t/hcsec-2025-12-nomad-vulnerable-to-incorrect-acl-policy-lookup-attached-to-a-job/75396
_____________________________________________________________________


HCSEC-2025-12 - Nomad Vulnerable To Incorrect ACL Policy Lookup
Attached To A Job

Security
security-nomad
dduzgun-security June 11, 2025, 1:08pm 1

Bulletin ID: HCSEC-2025-12
Affected Products / Versions:
Nomad Community Edition from 1.4.0 up to 1.10.1, fixed in 1.10.2.
Nomad Enterprise from 1.4.0 up to 1.10.1, 1.9.9, 1.8.13, fixed in
1.10.2, 1.9.10, and 1.8.14.

Publication Date: June 11, 2025


Summary
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy
lookup can lead to incorrect rule application and shadowing. This
vulnerability, identified as CVE-2025-4922, is fixed in Nomad
Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10,
and 1.8.14.


Background
Nomad provides an optional Access Control List (ACL) system which can be
used to control access to data and APIs. The ACL system is
capability-based, relying on tokens which are associated with policies
to determine which fine grained rules can be applied. ACL Policies
consist of a set of rules defining the capabilities or actions to be
granted.


Details
It was discovered that getting ACL policies by job would perform a
prefix-based lookup on the index which could result in policies being
applied incorrectly causing unintentional policy rule shadowing. An
attacker with the proper access could create a new job with a
prefixed name (e.g: test-job-2) to inherit the same ACL policies as
an already existing job (e.g: test-job). This could allow running
privileged jobs without explicitly configuring a new policy.


Remediation
Customers should evaluate the risk associated with this issue and
consider upgrading to Nomad 1.10.2, 1.9.10, 1.8.14, or newer.


Acknowledgement
This issue was identified by HashiCorp‘s Nomad engineering teams.

We deeply appreciate any effort to coordinate disclosure of
security vulnerabilities. For information about security at
HashiCorp and the reporting of security vulnerabilities,
please see https://hashicorp.com/security.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================