Source: nomad X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for nomad. CVE-2021-37218[0]: | HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server | agents with a valid certificate signed by the same CA to access | server-only functionality, enabling privilege escalation. Fixed in | 1.0.10 and 1.1.4. https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023 https://github.com/hashicorp/nomad/pull/11089 (main) https://github.com/hashicorp/nomad/commit/768d7c72a77e9c0415d92900753fc83e8822145a (release-1.1.4) https://github.com/hashicorp/nomad/commit/61a922afcf12784281757402c8e0b61686ff855d (release-1.0.11) CVE-2021-43415[1]: | HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, | with the QEMU task driver enabled, allowed authenticated users with | job submission capabilities to bypass the configured allowed image | paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288 https://github.com/hashicorp/nomad/issues/11542 https://github.com/hashicorp/nomad/pull/11554 https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285 (v1.2.1) CVE-2022-24683[2]: | HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and | 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) | capabilities to read arbitrary files on the host filesystem as root. https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560 CVE-2022-24684[3]: | HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and | 1.2.5 allow operators with job-submit capabilities to use the spread | stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 https://github.com/hashicorp/nomad/issues/12039 https://github.com/hashicorp/nomad/commit/c49359ad58f0af18a5697a0b7b9b6cca9656d267 (v1.2.6) CVE-2022-24685[4]: | HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow | invalid HCL for the jobs parse endpoint, which may cause excessive CPU | usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 https://github.com/hashicorp/nomad/issues/12038 CVE-2022-24686[5]: | HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and | 1.2.5 artifact download functionality has a race condition such that | the Nomad client agent could download the wrong artifact into the | wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37218 https://www.cve.org/CVERecord?id=CVE-2021-37218 [1] https://security-tracker.debian.org/tracker/CVE-2021-43415 https://www.cve.org/CVERecord?id=CVE-2021-43415 [2] https://security-tracker.debian.org/tracker/CVE-2022-24683 https://www.cve.org/CVERecord?id=CVE-2022-24683 [3] https://security-tracker.debian.org/tracker/CVE-2022-24684 https://www.cve.org/CVERecord?id=CVE-2022-24684 [4] https://security-tracker.debian.org/tracker/CVE-2022-24685 https://www.cve.org/CVERecord?id=CVE-2022-24685 [5] https://security-tracker.debian.org/tracker/CVE-2022-24686 https://www.cve.org/CVERecord?id=CVE-2022-24686 Please adjust the affected versions in the BTS as needed.