HCSEC-2022-01 - Nomad Artifact Download Race Condition

Bulletin ID: HCSEC-2022-01
Affected Products / Versions: Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and 1.2.5; fixed in 1.0.18, 1.1.12, and 1.2.6.
Publication Date: February 10, 2021

Nomad and Nomad Enterprise (“Nomad”) artifact download functionality had a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This vulnerability, CVE-2022-24686, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.

Nomad uses the go-getter library to download artifacts, as defined in the artifact stanza of job definitions. This library can be used in a way that is unsafe if shared between goroutines.

During internal testing, it was observed that Nomad’s go-getter client is used in an unsafe way using the builtin go test race detector. Under the right conditions, this may allow an attacker with job submission capabilities to impact another allocation such that the client will place the wrong artifact into the wrong destination.

This is likely difficult or impossible to reliably exploit on a live cluster, as an attacker would need to get two artifact downloads to kick off at just the right time, outside of their own job submission.

Nomad’s logic has been modified to no longer allow this attack.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

This issue was identified by the Nomad engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.