Nomad v0.10.3 Security Release

Nomad 0.10.3 was released with important security fixes:

CVE-2020-7218 - HTTP/RPC Unbounded Resource Usage

Prior to Nomad 0.10.3 there were no limits or timeouts placed on TCP connections which could allow for denial of service via unbounded resource consumption by a remote TCP client.

A pre-mTLS handshake timeout as well as per-remote-address limits have been added. Please see issue #7002 and the Upgrade Guide for details.

CVE-2020-7956 - Insufficient mTLS Certificate Validation

Prior to Nomad 0.10.3 mTLS client certificate validation was not as strict as intended. Before upgrading to Nomad 0.10.3, operators using mTLS with verify_server_hostname = true should confirm that the common name or SAN of all Nomad client node certs is client..nomad, and that the common name or SAN of all Nomad server node certs is server..nomad. Please see issue #7003 and the Upgrade Guide for details.

Go 1.12.16 Security Fixes

Nomad 0.10.3 is built with Go 1.12.16 to address security issues that affect Windows and 32-bit Nomad binaries. See Go’s announcement for details.

Nomad 0.10.4 and 0.11.0

All features and bug fixes targeting Nomad 0.10.3 will now be released in Nomad 0.10.4 in February 2020. Nomad 0.11.0 will be the next feature release of Nomad after that. Thanks for your patience.

Links:

Changelog - https://github.com/hashicorp/nomad/blob/v0.10.3/CHANGELOG.md

Binaries - https://releases.hashicorp.com/nomad/0.10.3/

2 Likes

Thank you for sharing this @schmichael. :+1:

Thanks for the update! :+1:

A: Eagerly and anxiously waiting for Nomad 0.10.5 (or later) :worried:
B: Why anxiously, and why are you so worried?
A: 10-4 is over-and-out, that’s why!
B: :man_facepalming:

1 Like