CVE-2022-24685 – This vulnerability in HashiCorp Nomad allows at... (How to Fix)

Q: What is the severity of CVE-2022-24685?

CVE-2022-24685 has a CVSS score of 7.5 (HIGH). This vulnerability in HashiCorp Nomad allows attackers to submit specially crafted HCL job configurations to the jobs parse endpoint, causing excessive CPU consumption and potential denial of service. It affects Nomad and Nomad Enterprise deployments running vulnerable versions. Organizations using affected versions for job orchestration are at risk.

📋 TL;DR

This vulnerability in HashiCorp Nomad allows attackers to submit specially crafted HCL job configurations to the jobs parse endpoint, causing excessive CPU consumption and potential denial of service. It affects Nomad and Nomad Enterprise deployments running vulnerable versions. Organizations using affected versions for job orchestration are at risk.

💻 Affected Systems

Products:

HashiCorp Nomad
HashiCorp Nomad Enterprise

Versions: 1.0.17, 1.1.11, 1.2.5

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the jobs parse endpoint specifically; requires API access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through CPU exhaustion, rendering Nomad cluster unavailable for job scheduling and management.

🟠

Likely Case

Degraded performance and intermittent service interruptions affecting job scheduling and execution.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH if Nomad API endpoints are exposed to untrusted networks without authentication.

🏢 Internal Only: MEDIUM as internal attackers or compromised systems could exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires sending malformed HCL to the parse endpoint; authentication requirements depend on Nomad configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.18, 1.1.12, 1.2.6

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561

Restart Required: Yes

Instructions:

1. Backup Nomad configuration and data. 2. Download patched version from HashiCorp releases. 3. Stop Nomad service. 4. Install updated binaries. 5. Restart Nomad service. 6. Verify service functionality.

🔧 Temporary Workarounds

Restrict API Access

linux

Limit access to Nomad API endpoints using network firewalls or ACLs.

iptables -A INPUT -p tcp --dport 4646 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 4646 -j DROP

Enable Authentication

all

Configure Nomad ACLs or other authentication mechanisms to restrict API access.

nomad acl bootstrap
Configure ACL policies in Nomad configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate Nomad API endpoints from untrusted networks.
Deploy rate limiting on Nomad API endpoints to mitigate DoS impact.

🔍 How to Verify

Check if Vulnerable:

Check Nomad version: nomad version | grep -E '1\.0\.17|1\.1\.11|1\.2\.5'

Check Version:

nomad version

Verify Fix Applied:

Verify version is 1.0.18, 1.1.12, or 1.2.6: nomad version

📡 Detection & Monitoring

Log Indicators:

High CPU usage alerts from monitoring
Nomad logs showing parse errors or excessive API requests

Network Indicators:

Unusual traffic patterns to Nomad API port 4646
Multiple rapid requests to /v1/jobs/parse endpoint

SIEM Query:

source="nomad" AND ("parse" OR "job") AND (error OR cpu_high)

📊 Metadata

CVE ID: CVE-2022-24685

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: February 28, 2022

Last Updated: November 21, 2024

🔗 References

https://discuss.hashicorp.com Product,Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 Vendor Advisory
https://security.netapp.com/advisory/ntap-20220331-0007/ Third Party Advisory
https://discuss.hashicorp.com Product,Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/
https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 Vendor Advisory
https://security.netapp.com/advisory/ntap-20220331-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24685, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Nomad by Hashicorp

Nomad by Hashicorp

Nomad by Hashicorp

Nomad by Hashicorp

Nomad by Hashicorp

Nomad by Hashicorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict API Access

Enable Authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities