Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sec: fix alloc workload identity namespace permission #24683

Merged
merged 4 commits into from
Dec 16, 2024
Merged

sec: fix alloc workload identity namespace permission #24683

merged 4 commits into from
Dec 16, 2024
+23 −1

Conversation

dduzgun-security
Copy link
Collaborator

@dduzgun-security dduzgun-security commented Dec 16, 2024
edited by tgross
Loading

Description

Sanitize the Allocations SignedIdentities to prevent privilege escalation within a namespace through unauthorized impersonation of workload associated with ACL policies in any workload within the namespace.
This resolves CVE-2024-12678.

Testing & Reproduction steps

Current tests are passing.

Links

https://github.com/hashicorp/nomad-enterprise/pull/2098

Contributor Checklist

  • Changelog Entry If this PR changes user-facing behavior, please generate and add a
    changelog entry using the make cl command.
  • Testing Please add tests to cover any new functionality or to demonstrate bug fixes and
    ensure regressions will be caught.
  • Documentation If the change impacts user-facing functionality such as the CLI, API, UI,
    and job configuration, please update the Nomad website documentation to reflect this. Refer to
    the website README for docs guidelines. Please also consider whether the
    change requires notes within the upgrade guide.

Reviewer Checklist

  • Backport Labels Please add the correct backport labels as described by the internal
    backporting document.
  • Commit Type Ensure the correct merge method is selected which should be "squash and merge"
    in the majority of situations. The main exceptions are long-lived feature branches or merges where
    history should be preserved.
  • Enterprise PRs If this is an enterprise only PR, please add any required changelog entry
    within the public repository.

@dduzgun-security dduzgun-security added theme/security backport/ent/1.7.x+ent Changes are backported to 1.7.x+ent backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/ent/1.9.x+ent Changes are backported to 1.9.x+ent backport/1.9.x backport to 1.9.x release line labels Dec 16, 2024
@dduzgun-security dduzgun-security self-assigned this Dec 16, 2024
@dduzgun-security dduzgun-security marked this pull request as ready for review December 16, 2024 21:12
@dduzgun-security dduzgun-security requested review from a team as code owners December 16, 2024 21:12
@tgross tgross removed the backport/ent/1.9.x+ent Changes are backported to 1.9.x+ent label Dec 16, 2024
@tgross tgross added this to the 1.9.x milestone Dec 16, 2024
tgross
tgross reviewed Dec 16, 2024
View reviewed changes
Copy link
Member

@tgross tgross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

.changelog/24683.txt Outdated Show resolved Hide resolved
@tgross tgross added the theme/api HTTP API and SDK issues label Dec 16, 2024
@tgross tgross merged commit 22b7470 into main Dec 16, 2024
28 checks passed
@tgross tgross deleted the sec/alloc-namespace-wi-permission branch December 16, 2024 21:35
@hc-github-team-nomad-core hc-github-team-nomad-core mentioned this pull request Dec 16, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgross tgross tgross approved these changes

Assignees

@dduzgun-security dduzgun-security

Labels
backport/ent/1.7.x+ent Changes are backported to 1.7.x+ent backport/ent/1.8.x+ent Changes are backported to 1.8.x+ent backport/1.9.x backport to 1.9.x release line theme/api HTTP API and SDK issues theme/security
Projects
None yet
Milestone
1.9.x
Development

Successfully merging this pull request may close these issues.
2 participants
@dduzgun-security @tgross