CVE-2022-24684: 
Nomad vulnerability analysis and mitigation

CVE-2022-24684 affects HashiCorp Nomad and Nomad Enterprise versions 0.9.0 through 1.0.16, 1.1.11, and 1.2.5. The vulnerability allows operators with job-submit capabilities to use the spread stanza in a way that can trigger panic in Nomad server agents. This security issue was discovered and reported by an external party to HashiCorp and was fixed in versions 1.0.18, 1.1.12, and 1.2.6, released in February 2022 (HashiCorp Advisory).

The vulnerability stems from an interaction between Nomad's spread and update stanzas. The spread stanza is a feature that allows operators to increase the failure tolerance of their applications by specifying a node attribute that allocations should be spread over. When combined in a specific way, these stanzas could trigger a panic condition in Nomad servers. The vulnerability has been assigned a CVSS score of 6.5 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NetApp Advisory).

The successful exploitation of this vulnerability results in a denial of service condition through server panic. This affects the availability of Nomad server agents, potentially disrupting the orchestration and management of workloads across the cluster (HashiCorp Advisory).

The recommended mitigation is to upgrade to the fixed versions: Nomad 1.0.18, 1.1.12, and 1.2.6, or newer. HashiCorp has modified Nomad's logic to prevent this type of attack. Organizations should evaluate the risk associated with this issue and plan their upgrade accordingly (HashiCorp Advisory).