HCSEC-2021-26 - Nomad Denial Of Service Via Submission Of Incomplete Job Specification Using Consul Mesh Gateway & Host Network

Bulletin ID: HCSEC-2021-26
Affected Products / Versions: Nomad and Nomad Enterprise 1.1.1 through 1.1.5; fixed in 1.1.6.
Publication Date: October 5, 2021

Summary
Nomad and Nomad Enterprise (“Nomad”) allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. This vulnerability, CVE-2021-41865, was fixed in Nomad 1.1.6.

Background
Nomad provides first-class support for Nomad jobs running Consul Connect mesh gateways via the connect stanza. Mesh gateways enable services in the Connect mesh to make cross-DC connections via gateways, where each datacenter may not have full node interconnectivity.

Nomad also allows jobs to be configured with a range of network modes, including host mode.

Details
During internal testing, it was observed that a Nomad job configured to use a Consul mesh gateway and host networking mode will cause Nomad client agents to crash. Since crashed clients may become lost, their allocations would be rescheduled and could eventually cause all clients to crash as the problematic job specification is rescheduled around the cluster.

On investigation, it was observed that a missing optional stanza within that job specification was not being correctly handled. Nomad’s configuration logic has been modified to correctly handle this case without crashing.

Remediation
Note that the Nomad 1.0 branch and earlier releases were not affected by this issue.

Customers on the Nomad 1.1 branch should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.1.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Acknowledgement
This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.