CVE-2022-24684 Nomad Spread Job Stanza Can Trigger Panic in Servers

[lgfa29]

Summary

Nomad and Nomad Enterprise (“Nomad”) allows operators with job-submit capabilities to use the spread stanza in a way such that it can cause panic in Nomad servers. This vulnerability, CVE-2022-24684, was fixed in Nomad 1.0.17, 1.1.12, and 1.2.6.

Background

The spread stanza within a Nomad job allows operators to increase the failure tolerance of their applications by specifying a node attribute that allocations should be spread over.

Details

During external testing, it was observed that Nomad’s spread and update stanzas can be combined in such a way that it can cause panic in Nomad servers. Nomad’s logic has been modified to no longer allow this attack.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.17, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.