CVE-2021-41865 in Nomadinfo

Summary

by MITRE • 10/07/2021

HashiCorp Nomad and Nomad Enterprise 1.1.1 through 1.1.5 allowed authenticated users with job submission capabilities to cause denial of service by submitting incomplete job specifications with a Consul mesh gateway and host networking mode. Fixed in 1.1.6.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/05/2025

HashiCorp Nomad and Nomad Enterprise versions 1.1.1 through 1.1.5 contained a critical vulnerability that enabled authenticated users with job submission privileges to trigger denial of service conditions through the manipulation of job specifications. This flaw specifically manifested when users submitted incomplete job configurations that included Consul mesh gateway and host networking mode elements. The vulnerability stems from insufficient validation of job specifications during the submission process, allowing malformed configurations to bypass normal sanitization checks. The technical implementation fails to properly validate the completeness and consistency of job definitions when these specific networking modes are employed, creating a path for malicious or malformed job submissions to disrupt system operations. This issue represents a failure in input validation and job specification integrity checking that directly impacts system availability and stability.

The operational impact of this vulnerability extends beyond simple service disruption as it affects the core job scheduling and execution mechanisms within Nomad's architecture. When users submit incomplete job specifications with Consul mesh gateway configurations, the system enters an inconsistent state where resource allocation and network configuration processes fail to complete properly. This results in the targeted Nomad client or server processes becoming unresponsive or crashing, effectively creating a denial of service condition that prevents legitimate job submissions from being processed. The vulnerability particularly affects environments that rely heavily on Consul integration for service discovery and mesh networking, where the combination of mesh gateway and host networking modes creates additional attack surface complexity. From a cybersecurity perspective, this vulnerability aligns with CWE-20 Improper Input Validation and represents a privilege escalation vector that allows authenticated users to cause system-wide availability issues.

The exploitation of this vulnerability requires minimal prerequisites as it only necessitates authentication with job submission permissions, making it particularly dangerous in environments where job submission capabilities are widely distributed. Attackers can leverage this flaw by crafting job specifications that contain incomplete or malformed Consul mesh gateway configurations, then submitting these to the Nomad cluster. The system's failure to properly validate these configurations leads to cascading failures in the job scheduling system, potentially affecting multiple nodes within the cluster. Security teams should note that this vulnerability exists in the job specification processing layer and can be classified under ATT&CK technique T1499.004 for network denial of service, as it specifically targets availability through job submission manipulation. The fix implemented in version 1.1.6 addresses the root cause by strengthening input validation for job specifications, particularly when Consul mesh gateway configurations are present, ensuring that incomplete job definitions are rejected before they can cause system disruption.

Organizations running affected Nomad versions should prioritize immediate patching to prevent potential exploitation, as the vulnerability can be leveraged to cause significant operational disruption. The mitigation strategy should include comprehensive monitoring of job submission activities and implementation of automated validation checks for job specifications. Security administrators should also consider implementing additional access controls and privilege separation to limit the scope of users who can submit jobs, reducing the potential impact of this vulnerability. Regular security assessments of Nomad configurations and Consul integration should be conducted to identify and remediate similar validation gaps in the system. The vulnerability serves as a reminder of the importance of robust input validation in distributed systems and highlights the need for comprehensive testing of edge cases in job scheduling and resource allocation mechanisms.

Reservation

10/01/2021

Disclosure

10/07/2021

Moderation

accepted

CPE

ready

EPSS

0.00967

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!