Nomad Client Vulnerable to Decompression Bombs in Artifact Block

Vulnerability

Analysis

CVE-2023-0821 is a denial-of-service (DoS) vulnerability in HashiCorp Nomad and Nomad Enterprise affecting versions 1.2.15 through 1.3.8, and 1.4.3. The vulnerability lies in the artifact stanza processing, where Nomad uses the go-getter library to fetch and decompress job artifacts. A maliciously compressed source, known as a 'Zip Bomb,' can be included in the artifact stanza of a submitted job, causing the Nomad client agent to consume excessive disk resources during decompression [1][2].

Exploitation

Method

An attacker must have authenticated access to the Nomad cluster with the ability to submit jobs. By crafting a job specification that references a maliciously compressed artifact, the attacker triggers uncontrolled decompression on the client agent. This does not require any privilege escalation beyond the submit-job capability, and the attack is executed simply by the client agent processing the artifact as part of job allocation [2].

Impact and

Mitigation

The primary impact is a denial-of-service condition: excessive disk usage can crash the Nomad client agent, disrupting workloads scheduled on that node. HashiCorp has addressed this by modifying the go-getter usage to allow administrators to set decompression limits via the client agent configuration options artifact.decompression_size_limit and artifact.decompression_file_count_limit [2]. The fix is included in Nomad versions 1.2.16, 1.3.9, and 1.4.4. Operators are strongly advised to upgrade to these patched versions or apply the configuration limits as a workaround [1][2].