Debian Bug report logs -
#1021273
nomad: CVE-2021-37218 CVE-2021-43415 CVE-2022-24683 CVE-2022-24684 CVE-2022-24685 CVE-2022-24686
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#1021273; Package src:nomad.
(Tue, 04 Oct 2022 19:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>.
(Tue, 04 Oct 2022 19:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nomad
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for nomad.
CVE-2021-37218[0]:
| HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server
| agents with a valid certificate signed by the same CA to access
| server-only functionality, enabling privilege escalation. Fixed in
| 1.0.10 and 1.1.4.
https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023
https://github.com/hashicorp/nomad/pull/11089 (main)
https://github.com/hashicorp/nomad/commit/768d7c72a77e9c0415d92900753fc83e8822145a (release-1.1.4)
https://github.com/hashicorp/nomad/commit/61a922afcf12784281757402c8e0b61686ff855d (release-1.0.11)
CVE-2021-43415[1]:
| HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0,
| with the QEMU task driver enabled, allowed authenticated users with
| job submission capabilities to bypass the configured allowed image
| paths. Fixed in 1.0.14, 1.1.8, and 1.2.1.
https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
https://github.com/hashicorp/nomad/issues/11542
https://github.com/hashicorp/nomad/pull/11554
https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285 (v1.2.1)
CVE-2022-24683[2]:
| HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and
| 1.2.5 allow operators with read-fs and alloc-exec (or job-submit)
| capabilities to read arbitrary files on the host filesystem as root.
https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
CVE-2022-24684[3]:
| HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and
| 1.2.5 allow operators with job-submit capabilities to use the spread
| stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6.
https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562
https://github.com/hashicorp/nomad/issues/12039
https://github.com/hashicorp/nomad/commit/c49359ad58f0af18a5697a0b7b9b6cca9656d267 (v1.2.6)
CVE-2022-24685[4]:
| HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow
| invalid HCL for the jobs parse endpoint, which may cause excessive CPU
| usage. Fixed in 1.0.18, 1.1.12, and 1.2.6.
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561
https://github.com/hashicorp/nomad/issues/12038
CVE-2022-24686[5]:
| HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and
| 1.2.5 artifact download functionality has a race condition such that
| the Nomad client agent could download the wrong artifact into the
| wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6
https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-37218
https://www.cve.org/CVERecord?id=CVE-2021-37218
[1] https://security-tracker.debian.org/tracker/CVE-2021-43415
https://www.cve.org/CVERecord?id=CVE-2021-43415
[2] https://security-tracker.debian.org/tracker/CVE-2022-24683
https://www.cve.org/CVERecord?id=CVE-2022-24683
[3] https://security-tracker.debian.org/tracker/CVE-2022-24684
https://www.cve.org/CVERecord?id=CVE-2022-24684
[4] https://security-tracker.debian.org/tracker/CVE-2022-24685
https://www.cve.org/CVERecord?id=CVE-2022-24685
[5] https://security-tracker.debian.org/tracker/CVE-2022-24686
https://www.cve.org/CVERecord?id=CVE-2022-24686
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 04 Oct 2022 20:21:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 5 13:21:56 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon