Bulletin ID: HCSEC-2022-22
Affected Products / Versions: Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5; fixed in 1.2.13, 1.3.6, and 1.4.0.
Publication Date: October 10, 2022
Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a job submitted with an invalid S3 or GCS URL in an artifact stanza can cause a panic, crashing a Nomad client agent. This vulnerability, CVE-2022-41606, was fixed in Nomad 1.2.13, 1.3.6, and 1.4.0.
Background
Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols.
Details
An external party reported it was possible to crash Nomad client agents using an invalid AWS S3 or GCP GCS URL in an artifact stanza. This behavior may be used by a malicious operator or third party with authenticated access to the submit-job capability to perform a denial of service attack.
Nomad’s usage of go-getter has been modified to allow Nomad to recover from panics during artifact retrieval, both preventing an agent crash in the specific cases described and protecting against similar issues that may be discovered in future.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.2.13, 1.3.6, or 1.4.0, or newer.
See Nomad’s Upgrading for general guidance on this process.
Acknowledgement
This issue was identified by a Nomad open source user.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.