HCSEC-2023-05 - Nomad Client Vulnerable to Decompression Bombs in Artifact Block

Bulletin ID: HCSEC-2023-05
**Affected Products / Versions:Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3; fixed in 1.2.16 up to 1.3.9, and 1.4.4.
Publication Date: February 15, 2023

Summary
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a job submitted with a maliciously compressed source (a.k.a “Zip Bomb”) in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was fixed in Nomad 1.2.16, 1.3.9, and 1.4.4.

Background
Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols.

Details
During internal investigation, we discovered it was possible to crash Nomad client agents using a malicious crafted compressed artifact source. This behavior may be used by a malicious operator or third party with authenticated access to the submit-job capability to perform a denial of service attack.

Nomad’s usage of go-getter has been modified to allow Nomad administrators to set decompression limits on client agents. These options can be set in a client agent configuration file using artifact.decompression_size_limit and artifact.decompression_file_count_limit.

Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.2.16, 1.3.9, 1.4.4, or newer.

See Nomad’s Upgrading for general guidance on this process.

Acknowledgement
This issue was identified by HashiCorp’s Partner Solution engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.