Bulletin ID: HCSEC-2022-03
Affected Products / Versions: Nomad and Nomad Enterprise 1.0.0 through 1.0.17, 1.1.11, and 1.2.5; fixed in 1.0.18, 1.1.12, and 1.2.6.
Publication Date: February 10, 2022
Nomad and Nomad Enterprise (“Nomad”) allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerability, CVE-2022-24685, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
The Nomad jobs API allows operators to interact with jobs in a cluster. When jobs are sent to the API, these must be formatted as JSON in the HTTP request. Nomad’s “job file” is an HCL formatted file, which needs to be converted to JSON, typically handled by the CLI. The jobs API exposes the parse endpoint to do this HCL to JSON conversion for systems that cannot use the CLI.
It was discovered that the Nomad’s jobs API could cause excessive CPU usage on server agents when provided with malformed HCL configuration. Nomad’s HCL parsing logic has been modified to no longer allow this attack, and now requires an ACL token when accessing the parse endpoint.
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
This issue was identified during scheduled external security assessment.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.