CVE-2022-3867 is a vulnerability identified in HashiCorp Nomad versions 1.4.0 and 1.4.1, specifically related to insufficient session expiration (CWE-613). Nomad is a widely used workload orchestrator designed to deploy and manage containerized and non-containerized applications across distributed infrastructure. The vulnerability affects the event stream subscriber mechanism, where subscribers use tokens with a time-to-live (TTL) to receive real-time updates. Due to improper session expiration handling, tokens continue to receive event stream updates until the token garbage collection process occurs, which may be delayed or inconsistent. This behavior means that even after a token should have expired, it remains valid for event streaming, potentially allowing prolonged access to event data. The issue was addressed and fixed in Nomad version 1.4.2. The CVSS 3.1 base score for this vulnerability is 2.7, indicating a low severity level. The vector string (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) shows that the vulnerability can be exploited remotely over the network, requires high privileges, no user interaction, and impacts confidentiality slightly without affecting integrity or availability. No known exploits have been reported in the wild. The vulnerability does not allow privilege escalation or direct system compromise but could lead to unauthorized access to event stream data beyond intended session lifetimes, potentially leaking sensitive operational information.

For European organizations using HashiCorp Nomad versions 1.4.0 or 1.4.1, this vulnerability could result in extended unauthorized access to event stream data. While the impact on confidentiality is low, the exposure of operational event data could aid attackers in reconnaissance or lateral movement within the infrastructure. Organizations in sectors with stringent data protection regulations, such as finance, healthcare, and critical infrastructure, may face compliance risks if sensitive information is inadvertently exposed. However, since exploitation requires high privileges, the threat is primarily to internal users or attackers who have already gained elevated access. The availability and integrity of systems are not affected, reducing the risk of service disruption or data manipulation. Overall, the impact is limited but should not be ignored in environments where session management and data confidentiality are critical.

European organizations should upgrade HashiCorp Nomad to version 1.4.2 or later to ensure the vulnerability is patched. Beyond patching, organizations should implement strict access controls and monitoring around Nomad event stream tokens, including limiting token issuance to necessary users and services only. Regularly auditing token lifetimes and garbage collection processes can help detect anomalies in session expiration. Employ network segmentation to restrict access to Nomad event streams to trusted hosts and users. Additionally, integrating Nomad logs and event streams into centralized security information and event management (SIEM) systems can facilitate early detection of abnormal token usage patterns. For environments where immediate patching is not feasible, consider temporarily disabling event stream subscriptions or enforcing shorter TTLs through configuration if supported. Finally, ensure that privileged accounts are secured with multi-factor authentication and monitored for unusual activity to reduce the risk of token misuse.