Nomad 1.5.3, 1.4.8, and 1.3.13 have been released with important security fixes.
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that an unauthenticated request sent to a client agent’s HTTP endpoint bypasses intended ACL authorizations when processed on server through internal RPCs. In doing so, unauthenticated HTTP requests can be used to submit a job to the cluster if there is no mTLS enabled. This vulnerability, CVE-2023-1782, affects Nomad from 1.5.0 up to 1.5.2 and was fixed in 1.5.3.
Additionally, a vulnerability in the Go standard library was identified that allows unauthenticated HTTP requests to consume excessive memory if mTLS is not enabled. This vulnerability, CVE-2023-24534, affects all versions of Nomad and was fixed in Nomad 1.5.3, 1.4.8, and 1.3.13.
Remediation
- Users of Nomad 1.5.x should upgrade to Nomad 1.5.3.
- Users of versions of Nomad before 1.5.0 should upgrade to 1.4.8, or 1.3.13 if they do not have mTLS enabled. Nomad administrators should always use mTLS for HTTP and RPC endpoints. More requirements and recommendations for a secure Nomad deployment can be found in the security model documentation.
Thank you,
The Nomad Team
Links
1.5.3 Changelog - https://github.com/hashicorp/nomad/blob/v1.5.3/CHANGELOG.md
1.5.3 Binaries - Nomad v1.5.3 Binaries | HashiCorp Releases
1.4.8 Changelog - nomad/CHANGELOG.md at v1.4.8 · hashicorp/nomad · GitHub
1.4.8 Binaries - Nomad v1.4.8 Binaries | HashiCorp Releases
1.3.13 Changelog - https://github.com/hashicorp/nomad/blob/v1.3.13/CHANGELOG.md
1.3.13 Binaries - Nomad v1.3.13 Binaries | HashiCorp Releases