This issue occurs because the Nomad CLI does not check the validity of the S3 or GCS URL before submitting a job, so it's possible for a malicious user to submit a job with an invalid URL and then inspect the job's history to find the invalid URL and submit a different invalid URL that causes the Nomad CLI to crash. To discover this issue, simply submit an invalid URL to Nomad with the --debug command-line option. This issue has been fixed in Nomad Enterprise 1.3.5, which was released on June 19, 2018. If you're using Enterprise and want to upgrade to 1.3.5 as soon as possible, you can do so by pushing the following configuration to your Enterprise nodes: --- skip_update_check_certificate = false When upgrading to 1.3.5, be aware that you cannot use S3 or GCS as a deploy target for jobs with an invalid URL. These invalid URLs will now fail validation and be rejected by the Nomad CLI. The only valid URL types for jobs with invalid URLs are S3 and Git.
Issue 23 - The Nomad CLI is too strict with job input parameters
This issue occurs because the Nomad CLI does not check the validity of the S3 or GCS URL before submitting a job, so it's possible for a malicious user to submit a job with an invalid URL and then inspect the job's history to find the invalid URL and submit a different invalid URL that causes the Nomad CLI to crash. To discover this issue, simply submit an invalid URL to Nomad with the --debug command-line option. This issue has been fixed in Nomad Enterprise 1.3.5, which was released on June 19, 2018. If you're using Enterprise and want to upgrade to 1.3.5 as soon as possible, you can do so by pushing the following configuration to your Enterprise nodes:
skip_update_check_certificate = false
When upgrading to 1.3.5, be aware that you cannot use S3 or GCS as a deploy target for jobs with an invalid URL. These invalid URLs will now fail validation and be rejected by the Nomad CLI. The only valid URL types for jobs with invalid URLs are S3 and Git.
Issue 2023 - Nomad doesn't detect changes to a previous deploy job
This issue occurs because the Nomad CLI does not check the validity of the S3 or GCS URL before submitting a job, so it's possible for a malicious user to submit a job with an invalid URL and then inspect the job's history to find the invalid URL and submit a different invalid URL that causes the Nomad CLI to crash. To discover this issue, simply submit an invalid URL to Nomad with the --debug command-line option. This issue has been fixed in Nomad Enterprise 1.3.5, which was released on June 19, 2018. If you're using Enterprise and want to upgrade to 1.3.5 as soon as possible, you can do so by pushing the following configuration to your Enterprise nodes: --- skip_update_check_certificate = false When upgrading to 1.3.5, be aware that you cannot use S3 or GCS as a deploy target for jobs with an invalid URL. These invalid URLs will now fail validation and be rejected by the Nomad CLI. The only valid URL types for jobs with invalid URLs are S3 and Git.
When upgrading to 1.3.5 as documented above, you will not be able to use S3 or GCS as a deploy target for jobs with an invalid URL until there is another update released by Carbon Black that includes changes related to this fix in order for it work properly again in your environment.
Restrictions on the Nomad Command-Line Interface
The Nomad Command-Line Interface imposes restrictions on the jobs it can run. As a result, the Nomad CLI will not be able to run jobs with invalid URLs that are submitted by users but will still be able to run jobs with valid URLs that are submitted by admins or users with access permissions.
Timeline
Published on: 10/12/2022 00:15:00 UTC
Last modified on: 10/13/2022 17:16:00 UTC