Nomad 1.2.1, 1.1.8, and 1.0.14 Released

CVE-2021-43415 - QEMU tasks may gain access to host resources.

The QEMU driver allows arbitrary command line options, but many of these options give access to host resources that operators may not want to expose, such as devices. See CVE-2021-43415 - Nomad QEMU Task Driver Allowed Paths Bypass with Job Args · Issue #11542 · hashicorp/nomad · GitHub for details.

Remediation

Users should upgrade to Nomad v1.2.1. Upgrading Nomad will allow configuring the QEMU task driver to restrict the list of arguments allowed to be specified in a task.

Links

1.2.1 Changelog - nomad/CHANGELOG.md at v1.2.1 · hashicorp/nomad · GitHub
1.2.1 Binaries - Nomad v1.2.1 Binaries | HashiCorp Releases
1.1.8 Changelog - nomad/CHANGELOG.md at v1.1.8 · hashicorp/nomad · GitHub
1.1.8 Binaries - Nomad v1.1.8 Binaries | HashiCorp Releases
1.0.14 Changelog - nomad/CHANGELOG.md at v1.0.14 · hashicorp/nomad · GitHub
1.0.14 Binaries - Nomad v1.0.14 Binaries | HashiCorp Releases

Thanks,

The Nomad Team