Bulletin ID: HCSEC-2022-04
Affected Products / Versions: Nomad and Nomad Enterprise 0.9.0 through 1.0.17, 1.1.11, and 1.2.5; fixed in 1.0.18, 1.1.12, and 1.2.6.
Publication Date: February 10, 2022
Summary
Nomad and Nomad Enterprise (“Nomad”) allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
Background
The spread stanza within a Nomad job allows operators to increase the failure tolerance of their applications by specifying a node attribute that allocations should be spread over.
Details
It was observed that Nomad’s spread and update stanzas can be combined in such a way that it can cause panic in Nomad servers. Nomad’s logic has been modified to no longer allow this attack.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Acknowledgement
This issue was identified by an external party who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.