CVE-2022-41606 is a medium-severity vulnerability affecting HashiCorp Nomad and Nomad Enterprise versions from 1.0.2 up to 1.2.12, and 1.3.5. The issue arises when jobs submitted to Nomad include an artifact stanza that references invalid Amazon S3 or Google Cloud Storage (GCS) URLs. Specifically, these malformed or invalid URLs can cause the Nomad client agents to crash, resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-20, indicating improper input validation. The root cause is that the Nomad client does not correctly handle invalid artifact URLs, leading to a crash rather than graceful error handling. This vulnerability does not impact confidentiality or integrity but affects availability by causing client agents to become unresponsive. Exploitation requires network access to submit jobs to the Nomad cluster and privileges to submit jobs (PR:L), but no user interaction is required. The vulnerability has a CVSS v3.1 score of 6.5 (medium severity), with the vector indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high impact on availability. HashiCorp addressed this issue in Nomad versions 1.2.13, 1.3.6, and 1.4.0 by improving validation and error handling for artifact URLs. There are no known exploits in the wild as of the published date. Nomad is a popular workload orchestrator used for deploying and managing containerized and non-containerized applications, often in hybrid and multi-cloud environments. This vulnerability could be leveraged by an attacker with job submission privileges to disrupt client agents, potentially impacting workload availability and operational continuity.

For European organizations using HashiCorp Nomad, especially those deploying workloads across hybrid or multi-cloud infrastructures, this vulnerability poses a risk to service availability. A successful exploitation can crash Nomad client agents, causing disruption in workload scheduling and execution. This can lead to downtime of critical applications or services managed by Nomad, impacting business operations. Organizations relying on Nomad for continuous deployment or infrastructure automation may experience operational delays and increased recovery efforts. While the vulnerability does not expose sensitive data or allow unauthorized code execution, the denial of service impact can affect service-level agreements (SLAs) and customer trust. Given the increasing adoption of cloud-native technologies and infrastructure-as-code practices in Europe, the disruption caused by this vulnerability could have cascading effects on IT service delivery and business continuity. Additionally, organizations in regulated sectors such as finance, healthcare, and critical infrastructure may face compliance risks if service availability is compromised.

European organizations should prioritize upgrading HashiCorp Nomad to versions 1.2.13, 1.3.6, or later, where this vulnerability is fixed. Until upgrades can be applied, organizations should implement strict validation and sanitization of job submissions, especially artifact stanzas referencing S3 or GCS URLs, to prevent invalid URLs from being accepted. Access controls should be enforced to restrict job submission privileges to trusted users and service accounts only, minimizing the risk of malicious or accidental submission of malformed jobs. Monitoring and alerting should be enhanced to detect client agent crashes or abnormal job failures promptly. Network segmentation and firewall rules can limit access to Nomad APIs to authorized networks and users. Additionally, organizations should review and harden their artifact storage configurations and ensure that artifact URLs are verified before job submission. Regular backups and disaster recovery plans should be tested to mitigate potential downtime caused by client agent crashes. Finally, staying informed about HashiCorp security advisories and promptly applying patches is critical to maintaining a secure Nomad environment.