Nomad 1.5.1 has been released with important security and bug fixes and other improvements.
- A vulnerability was identified in Nomad and Nomad Enterprise 1.5.0 such that a user with the submit-job ACL capability can submit a job that can escalate to management-level privileges. This vulnerability, CVE-2023-1299, was fixed in Nomad 1.5.1.
- A vulnerability was identified in Nomad and Nomad Enterprise 1.4.0 and above such that a deny ACL capability could not be applied to a workload’s own variables. If included, the Nomad ACL system will silently fail to block access. This vulnerability, CVE-2023-1296, was fixed in Nomad 1.4.6 and 1.5.1.
Major bug fixes:
- Reverted a change introduced in Nomad 1.5.0 where on Linux clients, artifacts would be downloaded as the nobody user, which was leading to file permissions errors and allocation failures on hardened Nomad clients.
- Fixed a bug introduced in Nomad 1.5.0 where pause containers would be stopped within 10 minutes of starting.
- Fixed a longstanding bug where the scheduler’s dynamic port selection could conflict with itself, leading to frequent “plan for node rejected” errors for other allocations in the same job.
Nomad 1.5.1 also includes a fix to a bug that prevented allocations with interpolated values in Consul services from being marked as healthy, a fix for client connections connecting to the wrong server address, and adding template and json arguments to the alloc check command. See the changelog for more.
Along with Nomad 1.5.1 and Nomad Enterprise 1.5.1, we’re also releasing Nomad 1.4.6 and 1.3.11 with backported bug fixes. See the 1.4.6 and 1.3.11 changelogs for more details.
The Nomad Team
1.5.1 Binaries - Nomad v1.5.1 Binaries | HashiCorp Releases
1.5.1 Changelog - https://github.com/hashicorp/nomad/blob/v1.5.1/CHANGELOG.md
1.4.6 Binaries - Nomad v1.4.6 Binaries | HashiCorp Releases
1.4.6 Changelog - https://github.com/hashicorp/nomad/blob/v1.4.6/CHANGELOG.md
1.3.11 Binaries - Nomad v1.3.11 Binaries | HashiCorp Releases
1.3.11 Changelog - https://github.com/hashicorp/nomad/blob/v1.3.11/CHANGELOG.md