Nomad 1.2.3 has been released to upgrade to Go 1.17.5. All prior versions of Nomad were built with a version of Go that contained 2 CVEs:
- CVE-2021-44717 could allow a task on a Unix system with exhausted file handles to misdirect I/O.
- CVE-2021-44716 could create unbounded memory growth in HTTP2 servers, but Nomad servers do not use HTTP2 and are unaffected.
Remediation
Users should upgrade Nomad agents to Nomad v1.2.3. Upgrading both servers and clients is recommended.
Backports
Nomad 1.1.9 and Nomad 1.0.15 have been released to upgrade the version of Go to 1.16.12 to remediate the vulnerabilities.
Links
1.2.3 Changelog - nomad/CHANGELOG.md at v1.2.3 · hashicorp/nomad · GitHub
1.2.3 Binaries - Nomad v1.2.3 Binaries | HashiCorp Releases
1.1.9 Changelog - nomad/CHANGELOG.md at v1.1.9 · hashicorp/nomad · GitHub
1.1.9 Binaries - Nomad v1.1.9 Binaries | HashiCorp Releases
1.0.15 Changelog - nomad/CHANGELOG.md at v1.0.15 · hashicorp/nomad · GitHub
1.0.15 Binaries - Nomad v1.0.15 Binaries | HashiCorp Releases