Nomad 1.4.4, 1.3.9, and 1.2.16 released

CVE-2023-0821 - Nomad Client Vulnerable to Decompression Bombs in Artifact Block

A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a job submitted with a maliciously compressed source (a.k.a “Zip Bomb”) in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was fixed in Nomad 1.2.16, 1.3.9, and 1.4.4.

Background:

Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols and automatically extracted.

Details:

During internal investigation, we discovered it was possible to crash Nomad client agents using a malicious crafted compressed artifact source. This behavior may be used by a malicious operator or third party with authenticated access to the submit-job capability to perform a denial of service attack.

Nomad’s usage of go-getter has been modified to allow Nomad administrators to set decompression limits on client agents. These options can be set in a client agent configuration file using artifact.decompression_size_limit and artifact.decompression_file_count_limit.

Remediation:

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.2.16, 1.3.9, 1.4.4, or newer.

See Nomad’s Upgrading for general guidance on this process.

Links

1.4.4 Binaries - Nomad v1.4.4 Binaries | HashiCorp Releases
1.4.4 Changelog - Release v1.4.4 · hashicorp/nomad · GitHub
1.3.9 Binaries - Nomad v1.3.9 Binaries | HashiCorp Releases
1.3.9 Changelog - Release v1.3.9 · hashicorp/nomad · GitHub
1.2.16 Binaries - Nomad v1.2.16 Binaries | HashiCorp Releases
1.2.16 Changelog - Release v1.2.16 · hashicorp/nomad · GitHub

The Nomad Team