CVE-2020-27195 Nomad File Sandbox Escape via Template and Artifact Stanzas

[tgross]

Vulnerability ID: CVE-2020-27195
Versions: Nomad 0.9.0 through 0.12.5; fixed in 0.12.6, 0.11.5, and 0.10.6.

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a specially crafted Nomad jobspec can be used to escape the client file sandbox configuration. This vulnerability affects version 0.9.0 up to 0.12.5, and is fixed in the 0.12.6, 0.11.5, and 0.10.6 releases.

Nomad utilizes the client filesystem to persistently store any required task artifacts or templates on disk. Custom artifacts (files) can be retrieved from various sources including the host client’s filesystem when configured.

Issues were discovered affecting Nomad’s file sandbox features using either the template or artifact stanzas. This can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to subvert the disable_file_sandbox configuration on the Nomad client.

Users should upgrade to Nomad or Nomad Enterprise 0.12.6, 0.11.5, 0.10.6, or newer. Please refer to the CHANGELOG and Upgrading Nomad for general guidance and version-specific upgrade notes.

[tgross]

Patch has been released, waiting on the patch for master in #9139 to merge before we close this.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.