CVE-2022-30324 - Nomad Impacted by go-getter Vulnerabilities
A vulnerability was identified in the go-getter library Nomad and Nomad Enterprise (“Nomad”) uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This vulnerability affects versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases.
Remediation
Users should upgrade to Nomad v1.3.1 or v1.2.8 or v1.1.14. Upgrading servers and clients is suggested.
Nomad v1.3.1
- artifact: fix numerous go-getter security issues [GH-13057]
- agent: fix panic when logging about protocol version config use [GH-12962]
Nomad 1.2.8, 1.1.14
- artifact: fix numerous go-getter security issues [GH-13057]
Links
1.3.1 Binaries - https://releases.hashicorp.com/nomad/1.3.1/
1.3.1 Changelog - https://github.com/hashicorp/nomad/blob/v1.3.1/CHANGELOG.md
1.2.8 Binaries - https://releases.hashicorp.com/nomad/1.2.8/
1.2.8 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.8/CHANGELOG.md
1.1.14 Binaries - https://releases.hashicorp.com/nomad/1.1.14/
1.1.14 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.14/CHANGELOG.md
The Nomad Team