[ANN] Nomad 1.2.6, 1.1.12, and 1.0.18 Released

32 views
Skip to first unread message

Luiz Aoqui

unread,
Feb 10, 2022, 3:53:44 PMFeb 10
to hashicorp...@googlegroups.com

Nomad 1.2.6, 1.1.12, and 1.0.18 have been released with several security fixes that surfaced during extensive internal and external tests.


Breaking change

A vulnerability was discovered in the Nomad API job parse endpoint which required the introduction of ACL authentication. Refer to Upgrading Nomad for more information.


CVE-2022-24686 - Nomad Artifact Download Race Condition

Nomad and Nomad Enterprise (“Nomad”) uses go-getter in an unsafe way, allowing a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This vulnerability, CVE-2022-24686, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.


Remediation: 

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.



CVE-2022-24683 - Nomad alloc exec+fs Container Escape

Nomad and Nomad Enterprise (“Nomad”) allows operators with read-fs and alloc-exec (or job-submit) capabilities to read arbitrary files on the host filesystem as root through the Nomad client agent. This vulnerability, CVE-2022-24683, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.


Remediation: 

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.



CVE-2022-24685 - Nomad Job Parsing Results in Excessive CPU Usage

Nomad and Nomad Enterprise (“Nomad”) allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerability, CVE-2022-24685, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.


Remediation: 

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.



CVE-2022-24684 - Nomad Spread Job Stanza Can Trigger Panic in Servers

Nomad and Nomad Enterprise (“Nomad”) allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.18, 1.1.12, and 1.2.6.


Remediation: 

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.18, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.


Links


1.2.6 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.6/CHANGELOG.md 

1.2.6 Binaries - https://releases.hashicorp.com/nomad/1.2.6/ 

1.1.12 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.12/CHANGELOG.md 

1.1.12 Binaries - https://releases.hashicorp.com/nomad/1.1.12/ 

1.0.18 Changelog - https://github.com/hashicorp/nomad/blob/v1.0.18/CHANGELOG.md 

1.0.18 Binaries - https://releases.hashicorp.com/nomad/1.0.18/ 


Thanks,


The Nomad Team.

Reply all
Reply to author
Forward
0 new messages