Nomad 1.5.3, 1.4.8, and 1.3.13 have been released with important security fixes.
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that an unauthenticated request sent to a client agent’s HTTP endpoint bypasses intended ACL authorizations when processed on server through internal RPCs. In doing so, unauthenticated HTTP requests can be used to submit a job to the cluster if there is no mTLS enabled. This vulnerability, CVE-2023-1782
, affects Nomad from 1.5.0 up to 1.5.2 and was fixed in 1.5.3.
Additionally, a vulnerability in the Go standard library was identified that allows unauthenticated HTTP requests to consume excessive memory if mTLS is not enabled. This vulnerability, CVE-2023-24534
, affects all versions of Nomad and was fixed in Nomad 1.5.3, 1.4.8, and 1.3.13.Remediation
- Users of Nomad 1.5.x should upgrade to Nomad 1.5.3.
- Users of versions of Nomad before 1.5.0 should upgrade to 1.4.8, or 1.3.13 if they do not have mTLS enabled.