CVE-2022-24685 Nomad Job Parsing Results in Excessive CPU Usage

[lgfa29]

Summary

Nomad and Nomad Enterprise (“Nomad”) allows anyone with access to Nomad’s API to submit HCL formatted jobs for parsing to return the equivalent JSON. This endpoint allowed malformed HCL configuration to be evaluated, resulting in excessive CPU usage on Nomad server agents. This vulnerability, CVE-2022-24685, was fixed in Nomad 1.0.17, 1.1.12, and 1.2.6.

Background

Nomad provides a jobs API to allow operators to interact with jobs in a cluster. When jobs are sent to the API, these must be formatted as JSON in the HTTP request. Nomad’s “job file” is an HCL formatted file, which needs to be converted to JSON, typically handled by the CLI. The jobs API exposes an endpoint to do this HCL parsing to convert it to JSON for systems that cannot use the CLI.

Details

During external testing, it was observed that a Nomad’s jobs API could cause excessive CPU usage on server agents when provided with malformed HCL configuration. Nomad’s HCL parsing logic has been modified to no longer allow this attack, and now requires an ACL token when accessing the parse endpoint.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to Nomad or Nomad Enterprise 1.0.17, 1.1.12, and 1.2.6, or newer. Please refer to Upgrading Nomad for general guidance and version-specific upgrade notes.

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.