[ANN] Nomad v1.3.1, 1.2.8, and 1.1.14 Released

15 views
Skip to first unread message

Luiz Aoqui

unread,
May 20, 2022, 5:40:13 PMMay 20
to hashicorp...@googlegroups.com

CVE-2022-30324 - Nomad Impacted by go-getter Vulnerabilities


A vulnerability was identified in the go-getter library Nomad and Nomad Enterprise (“Nomad”) uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This vulnerability affects versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases.


Remediation


Users should upgrade to Nomad v1.3.1 or v1.2.8 or v1.1.14. Upgrading servers and clients is suggested.


Nomad v1.3.1

  • artifact: fix numerous go-getter security issues [GH-13057]

  • agent: fix panic when logging about protocol version config use [GH-12962]


Nomad 1.2.8, 1.1.14

  • artifact: fix numerous go-getter security issues [GH-13057]


Links

1.3.1 Binaries - https://releases.hashicorp.com/nomad/1.3.1/ 

1.3.1 Changelog - https://github.com/hashicorp/nomad/blob/v1.3.1/CHANGELOG.md

1.2.8 Binaries - https://releases.hashicorp.com/nomad/1.2.8/ 

1.2.8 Changelog - https://github.com/hashicorp/nomad/blob/v1.2.8/CHANGELOG.md

1.1.14 Binaries - https://releases.hashicorp.com/nomad/1.1.14/ 

1.1.14 Changelog - https://github.com/hashicorp/nomad/blob/v1.1.14/CHANGELOG.md

The Nomad Team

Reply all
Reply to author
Forward
0 new messages