HCSEC-2022-04 - Nomad Spread Job Stanza May Trigger Panic in Servers

Bulletin ID: HCSEC-2022-04
Affected Products / Versions: Nomad and Nomad Enterprise 0.9.0 through 1.0.17, 1.1.11, and 1.2.5; fixed in 1.0.18, 1.1.12, and 1.2.6.
Publication Date: February 10, 2022

Nomad and Nomad Enterprise (“Nomad”) allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.

The spread stanza within a Nomad job allows operators to increase the failure tolerance of their applications by specifying a node attribute that allocations should be spread over.

It was observed that Nomad’s spread and update stanzas can be combined in such a way that it can cause panic in Nomad servers. Nomad’s logic has been modified to no longer allow this attack.

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

This issue was identified by an external party who reported it to HashiCorp.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.