Bulletin ID: HCSEC-2022-14
Affected Products / Versions: Nomad 0.2.0 through 1.3.0; fixed in 1.1.14, 1.2.8, and 1.3.1.
Publication Date: May 24, 2022
Summary
Vulnerabilities were identified in the go-getter library that Nomad and Nomad Enterprise (“Nomad”) uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This combined exposure, CVE-2022-30324, affects Nomad versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases.
Background
Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols.
Details
Vulnerabilities were discovered externally and internally affecting the go-getter library (go-getter security bulletin; CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323). Nomad uses this library directly for its artifact stanza. The vulnerabilities can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to escalate privileges onto client agent hosts.
Remediation
Customers should upgrade to Nomad or Nomad Enterprise 1.1.14, 1.2.8, 1.3.1, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Acknowledgement
Underlying go-getter issues were identified by external researchers (Joern Schneeweisz of GitLab and Alessio Della Libera of Snyk) and HashiCorp Product Security team members, with specific Nomad exposure identified during internal investigation.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see Security at HashiCorp.