CVE-2023-0821 - Nomad Client Vulnerable to Decompression Bombs in Artifact Block
A vulnerability was identified in Nomad and Nomad Enterprise (“Nomad”) such that a job submitted with a maliciously compressed source (a.k.a “Zip Bomb”) in an artifact stanza can cause excessive disk resource consumption, crashing a Nomad client agent. This vulnerability, CVE-2023-0821, was fixed in Nomad 1.2.16, 1.3.9, and 1.4.4.Background:
Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols and automatically extracted.Details:
During internal investigation, we discovered it was possible to crash Nomad client agents using a malicious crafted compressed artifact source. This behavior may be used by a malicious operator or third party with authenticated access to the submit-job capability to perform a denial of service attack.
Nomad’s usage of go-getter has been modified to allow Nomad administrators to set decompression limits on client agents. These options can be set in a client agent configuration file using artifact.decompression_size_limit and artifact.decompression_file_count_limit.Remediation:
Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.2.16, 1.3.9, 1.4.4, or newer.
See Nomad’s Upgrading for general guidance on this process.Links
1.4.4 Binaries - https://releases.hashicorp.com/nomad/1.4.4/
1.4.4 Changelog - https://github.com/hashicorp/nomad/releases/tag/v1.4.4
1.3.9 Binaries - https://releases.hashicorp.com/nomad/1.3.9/
1.3.9 Changelog - https://github.com/hashicorp/nomad/releases/tag/v1.3.9
1.2.16 Binaries - https://releases.hashicorp.com/nomad/1.2.16/
1.2.16 Changelog - https://github.com/hashicorp/nomad/releases/tag/v1.2.16
The Nomad Team