CVE-2021-41865 - Jobspec with Host Networking and Consul Mesh Gateway may cause Clients to Segfault
A bug was introduced in Nomad v1.1.1 that allowed a jobspec to run which could cause Nomad client agents to crash. Since crashed clients may become lost, their allocations would be rescheduled and could eventually cause all clients to crash as the buggy jobspec is rescheduled around the cluster.
Jobspecs using host networking and Consul Mesh Gateways can trigger the crash. See Creating a Consul mesh gateway with host networking mode causes segfault · Issue #11243 · hashicorp/nomad · GitHub for details.
Remediation
Users should upgrade to Nomad v1.1.6. Upgrading Nomad servers will fix jobs scheduled afterward, but Nomad clients must be upgraded if an affected jobspec has already been deployed. Upgrading servers and clients is suggested.
Nomad v1.0.12 and other fixes
While Nomad v1.0.x is not affected by the CVE, both v1.1.6 and v1.0.12 contain a few other small fixes:
- build: Updated Go [GH-11252] [GH-11253]
- client: Fixed a memory leak in log collector when tasks restart [GH-11261]
- events: Fixed wildcard namespace handling [GH-10935]
Links
1.0.12 Changelog - nomad/CHANGELOG.md at v1.0.12 · hashicorp/nomad · GitHub
1.0.12 Binaries - Nomad v1.0.12 Binaries | HashiCorp Releases
1.1.6 Changelog - nomad/CHANGELOG.md at v1.1.6 · hashicorp/nomad · GitHub
1.1.6 Binaries - Nomad v1.1.6 Binaries | HashiCorp Releases