CVE-2022-30324 Nomad Impacted by go-getter Vulnerabilities

[mmcquillan]

Summary

A vulnerability was identified in the go-getter library that Nomad and Nomad Enterprise (“Nomad”) uses for its artifacts such that a specially crafted Nomad jobspec can be used for privilege escalation onto client agent hosts. This vulnerability affects Nomad versions 0.2.0 through 1.3.0, and is fixed in the 1.1.14, 1.2.8, and 1.3.1 releases.

Background

Nomad utilizes HashiCorp’s go-getter library for its artifact stanza that can be included in jobs submitted to the cluster. These custom artifacts (files) can be retrieved using various protocols.

Details

Vulnerabilities were discovered externally and internally affecting the go-getter library (CVE-2022-26945, CVE-2022-30321, CVE-2022-30322, CVE-2022-30323). Nomad uses this library directly for its artifact stanza. The vulnerabilities can lead to Nomad operators with the ability to submit specially crafted jobspecs to be able to escalate privileges onto client agent hosts. This issue is identified publicly as CVE-2022-30324.

Remediation

Customers should upgrade to Nomad or Nomad Enterprise 1.1.14, 1.2.8, 1.3.1, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[tgross]

ref 3968509

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.