HCSEC-2024-29

**Bulletin ID:** HCSEC-2024-29 **Affected Products / Versions:** Nomad Community Edition from 1.4.0 up to 1.9.3, fixed in 1.9.4. Nomad Enterprise from 1.4.0 up to 1.9.3, 1.8.7, 1.7.15, fixed in 1.9.4, 1.8.8, and 1.7.16. **Publication Date:** December 19, 2024 **Summary** Nomad Community and Nomad Enterprise ("Nomad") allocations are vulnerable to privilege escalation within a namespace through unredacted workload identity tokens. This vulnerability, identified as CVE-2024-12678, is fixed in Nomad Community Edition 1.9.4 and Nomad Enterprise 1.9.4, 1.8.8, and 1.7.16. **Background** Every workload running in Nomad is given a default identity. When an [allocation](https://developer.hashicorp.com/nomad/docs/glossary#allocation) is accepted by the [scheduler](https://developer.hashicorp.com/nomad/docs/concepts/scheduling/scheduling), the leader generates a Workload Identity for each task in the allocation. This workload identity is a [JSON Web Token (JWT)](https://datatracker.ietf.org/doc/html/rfc7519) that has been signed by the leader's keyring. Additional workload identities may be defined in tasks and services using the [identity](https://developer.hashicorp.com/nomad/docs/job-specification/identity) block. You can associate additional [ACL policies with workload identities](https://developer.hashicorp.com/nomad/docs/concepts/workload-identity#workload-associated-acl-policies) by passing the `-job`, `-group`, and `-task` flags to nomad acl policy apply. When Nomad resolves a workload identity claim, it will automatically include policies that match. If no matching policies exist, the workload identity does not have any additional capabilities. **Details** Accessing HashiCorp Nomad allocations through the [Read Allocation API](https://developer.hashicorp.com/nomad/api-docs/allocations#read-allocation) or [alloc](https://developer.hashicorp.com/nomad/docs/commands/alloc) command includes a [Workload Identity](https://developer.hashicorp.com/nomad/docs/concepts/workload-identity) token which offers access to the workload-associated variables and service discovery. When combined with the [workload associated with ACL policies](https://developer.hashicorp.com/nomad/docs/concepts/workload-identity#workload-associated-acl-policies), a user with `namespace:read` access can potentially escalate privileges and access additional policies for any workload within the namespace. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.9.4, 1.8.8, 1.7.16, or newer. Please refer to [Upgrading Nomad ](https://developer.hashicorp.com/nomad/docs/upgrade)for general guidance and the [Upgrade Guides](https://developer.hashicorp.com/nomad/docs/upgrade/upgrade-specific) for version-specific upgrade notes. **Acknowledgement** This issue was identified by HashiCorp‘s Nomad engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*