CVE-2023-0821 - Nomad Client Vulnerable to Decompression Bombs in Artifact BlockA vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a job submitted with a maliciously compressed source (a.k.a “Zip Bomb”) in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was fixed in Nomad 1.2.16, 1.3.9, and 1.4.4.
Background:Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols and automatically extracted.
Details:During internal investigation, we discovered it was possible to crash Nomad client agents using a malicious crafted compressed artifact source. This behavior may be used by a malicious operator or third party with authenticated access to the submit-job capability to perform a denial of service attack.
Nomad’s usage of go-getter has been modified to allow Nomad administrators to set decompression limits on client agents. These options can be set in a client agent configuration file using artifact.decompression_size_limit and artifact.decompression_file_count_limit.
Remediation: Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.2.16, 1.3.9, 1.4.4, or newer.
See Nomad’s Upgrading for general guidance on this process.
Links1.4.4 Binaries -
https://releases.hashicorp.com/nomad/1.4.4/ 1.4.4 Changelog -
https://github.com/hashicorp/nomad/releases/tag/v1.4.41.3.9 Binaries -
https://releases.hashicorp.com/nomad/1.3.9/ 1.3.9 Changelog -
https://github.com/hashicorp/nomad/releases/tag/v1.3.91.2.16 Binaries -
https://releases.hashicorp.com/nomad/1.2.16/ 1.2.16 Changelog -
https://github.com/hashicorp/nomad/releases/tag/v1.2.16The Nomad Team