Nomad 1.2.6, 1.1.12, and 1.0.18 have been released with several security fixes that surfaced during extensive internal and external tests.
Breaking change
A vulnerability was discovered in the Nomad API job parse endpoint which required the introduction of ACL authentication. Refer to Upgrading Nomad for more information.
CVE-2022-24686 - Nomad Artifact Download Race Condition
Nomad and Nomad Enterprise (“Nomad”) uses go-getter in an unsafe way, allowing a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This vulnerability, CVE-2022-24686, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
CVE-2022-24683 - Nomad alloc exec+fs Container Escape
Nomad and Nomad Enterprise (“Nomad”) allows operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root through the Nomad client agent. This vulnerability, CVE-2022-24683, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
CVE-2022-24685 - Nomad Job Parsing Results in Excessive CPU Usage
Nomad and Nomad Enterprise (“Nomad”) allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerability, CVE-2022-24685, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
CVE-2022-24684 - Nomad Spread Job Stanza Can Trigger Panic in Servers
Nomad and Nomad Enterprise (“Nomad”) allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.
Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.
Links
1.2.6 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.6/CHANGELOG.md
1.2.6 Binaries - Nomad v1.2.6 Binaries | HashiCorp Releases
1.1.12 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.12/CHANGELOG.md
1.1.12 Binaries - Nomad v1.1.12 Binaries | HashiCorp Releases
1.0.18 Changelog - https://github.com/hashicorp/nomad/blob/v1.0.18/CHANGELOG.md
1.0.18 Binaries - Nomad v1.0.18 Binaries | HashiCorp Releases
Thanks,
The Nomad Team.