Nomad 1.0.3 and 0.12.10 Released

Nomad 1.0.3 and Nomad 0.12.10 were released with an important security fix:

CVE-2021-3283 Nomad exec and java tasks do not run in isolated PID/IPC namespaces

A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) wherein processes launched by exec-based task drivers (i.e., exec and java) are not isolated into new PID and IPC namespaces. As a result, they have visibility into other processes. Specifically, they can view the environment and filesystem for other processes running as the same user (default: nobody), including secrets and Vault tokens. This affects all known versions of Nomad. The patch applies to Nomad clients running the exec or java task drivers on Linux. Third-party driver plugins that use the shared library code may be similarly affected.

This issue is identified publicly as CVE-2021-3283.


Users should upgrade clients to Nomad or Nomad Enterprise 1.0.3, 0.12.10, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.


Changelog -
Binaries - Nomad v1.0.3 Binaries | HashiCorp Releases


Debian repo only has 1.0.2 at the moment.

1.0.3 had to be replaced because of a problem in the packaging. Search for 1.0.3-2:

apt-get install nomad=“1.0.3*”