CVE-2022-30324
📋 TL;DR
This vulnerability in HashiCorp Nomad and Nomad Enterprise allows attackers to escalate privileges on client agent hosts by exploiting go-getter vulnerabilities through the artifact stanza in submitted jobs. It affects versions 0.2.0 up to 1.3.0, enabling unauthorized access and control over affected systems. Users running these versions are at risk if they process untrusted job submissions.
💻 Affected Systems
- HashiCorp Nomad
- HashiCorp Nomad Enterprise
📦 What is this software?
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
Nomad by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of client agent hosts, allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems in the network.
Likely Case
Privilege escalation leading to unauthorized control over client agents, potentially disrupting job execution and exposing internal resources.
If Mitigated
Limited impact if job submissions are restricted to trusted sources and network segmentation is enforced, reducing exposure to exploitation.
🎯 Exploit Status
Exploitation is straightforward via job submissions, and while no public proof-of-concept is confirmed, the vulnerability's nature makes weaponization likely in real-world attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.14, 1.2.8, and 1.3.1
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-14-nomad-impacted-by-go-getter-vulnerabilities/39932
Restart Required: Yes
Instructions:
1. Identify the current Nomad version using 'nomad version'. 2. Upgrade to a fixed version (1.1.14, 1.2.8, or 1.3.1) via package manager or manual download from HashiCorp. 3. Restart Nomad services to apply the patch.
🔧 Temporary Workarounds
Restrict Job Submissions
allLimit job submissions to trusted users or sources to reduce the attack surface.
Configure Nomad ACLs or policies to enforce strict access controls on job submissions.
Disable Artifact Downloads
allPrevent the use of artifact stanzas in jobs if not required, blocking the exploitation vector.
Modify Nomad configuration to disable artifact downloads or use job validation to reject such stanzas.
🧯 If You Can't Patch
- Implement network segmentation to isolate Nomad clients from sensitive systems, limiting lateral movement.
- Enhance monitoring and logging for suspicious job submissions and artifact downloads to enable rapid detection and response.
🔍 How to Verify
Check if Vulnerable:
Run 'nomad version' and check if the version is between 0.2.0 and 1.3.0, excluding fixed versions 1.1.14, 1.2.8, and 1.3.1.Check Version:
nomad versionVerify Fix Applied:
After patching, run 'nomad version' to confirm the version is 1.1.14, 1.2.8, or 1.3.1, and test job submissions with artifact stanzas to ensure no privilege escalation occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual job submissions with artifact stanzas from untrusted sources
- Errors or warnings related to go-getter or privilege escalation in Nomad logs
Network Indicators:
- Unexpected network connections from Nomad clients to external artifact sources
- Anomalous traffic patterns during job processing
SIEM Query:
source="nomad.log" AND (artifact* OR go-getter) AND (error OR warning)