[ANN] Nomad 1.0.5, 0.12.12 Released

4 views

Skip to first unread message

Michael Schurter

unread,

May 12, 2021, 4:15:09 PM5/12/21

to Nomad

Nomad 1.0.5 and Nomad 0.12.12 were released with an important security fix:

CVE-2021-32575 Nomad bridge networking mode allows ARP spoofing

A vulnerability was discovered in Nomad and Nomad Enterprise (“Nomad”) wherein processes launched by the docker, exec, and java task drivers that make use of Nomad's bridge networking mode can perform ARP spoofing attacks against other tasks on the same node. Specifically, tasks making use of bridge networking are susceptible to other tasks on the same node performing DoS and MITM attacks due to the default enablement of the CAP_NET_RAW Linux capability by these task drivers. This affects all known versions of Nomad. The patch applies to Nomad clients running docker, exec, or java task drivers on Linux with tasks making use of bridge networking mode. Third-party driver plugins that use the shared library code may be similarly affected.

The issue is identified publicly as CVE-2021-32575.

Remediation:

Users should upgrade clients to Nomad or Nomad Enterprise 1.0.5, 0.12.12, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

Links:

Changelog - https://github.com/hashicorp/nomad/blob/v1.0.5/CHANGELOG.md

Nomad v1.0.5 Binaries - https://releases.hashicorp.com/nomad/1.0.5/

Nomad v0.12.12 Binaries - https://releases.hashicorp.com/nomad/0.12.12/

Reply all

Reply to author

Forward

0 new messages