CVE-2022-24686 Nomad go-getter Race Condition

[lgfa29]

Summary

Nomad and Nomad Enterprise (“Nomad”) uses go-getter in an unsafe way, allowing a race condition such that the Nomad client agent could download the wrong artifact into the wrong destination. This vulnerability, CVE-2022-24686, was fixed in Nomad 1.0.17, 1.1.12, and 1.2.6..

Background

Nomad uses the go-getter library to download artifacts defined in job definitions. This library can be used in a way that is unsafe if shared between goroutines. Under the right conditions, this can allow an attacker with job submission capabilities to impact another allocation such that the client will place the wrong artifact into the wrong destination.

We expect this to be difficult or impossible to reliably exploit on a live cluster, as an attacker would need to get two artifact downloads to kick off at just the right time, outside of their own job submission.

Details

During internal testing, it was observed that Nomad’s go-getter client is used in an unsafe way using the builtin go test race detector. Nomad’s logic has been modified to no longer allow this attack.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.17, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.