Harry Pidcock

Name of the Vulnerable Software and Affected Versions Juju versions 3.2.0 through 3.6.19 and versions 4.0.0 through 4.0.4 Description A flaw exists in the Juju software where the internal Dqlite database cluster does not properly validate TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An attacker with network access to the Juju controller's Dqlite port can join the database cluster and gain full read and write access to the database, potentially leading to complete data compromise. Recommendations Update Juju to a version later than 4.0.4. Update Juju to a version later than 3.6.19.

**Name of the Vulnerable Software and Affected Versions** Juju versions 3.0.0 through 3.6.18 **Description** A race condition exists in the secrets management subsystem. An authenticated unit agent can claim ownership of a newly initialized secret between the generation of a Juju Secret ID and the creation of the secret's first revision. This allows an attacker, authenticated as another unit agent, to claim ownership of a known secret and read the content of the initial secret revision. **Recommendations** Update to version 3.6.19 or later.

**Name of the Vulnerable Software and Affected Versions** Juju versions 3.1.6 through 3.6.18 **Description** An authorization bypass exists in the Vault secrets back-end implementation. An authenticated unit agent can perform unauthorized updates to secret revisions. An attacker, with sufficient information, can potentially compromise existing secret revisions within the scope of the affected Vault secret back-end. **Recommendations** Update Juju to version 3.6.19 or later.

Name of the Vulnerable Software and Affected Versions: juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4 Description: The issue concerns an abstract UNIX domain socket used for juju introspection, which is available without authentication locally to network namespace users. This enables denial of service attacks. Specifically, on a juju controller agent, denial of service can be performed by using the "/leases/revoke" endpoint, which can cause availability issues. On a juju machine agent hosting units, disabling the unit component can be performed using the "/units" endpoint with a "stop" action. Recommendations: For versions prior to 2.9.51, update to version 2.9.51 or later. For versions prior to 3.1.10, update to version 3.1.10 or later. For versions prior to 3.3.7, update to version 3.3.7 or later. For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 3.5.4, update to version 3.5.4 or later. As a temporary workaround, consider restricting access to the "/leases/revoke" and "/units" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4 **Description** The `JUJU CONTEXT ID` is a predictable authentication secret. On a Juju machine or Juju charm container, an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the `JUJU CONTEXT ID` value. This gives the unprivileged user access to the same information and tools as the Juju charm. The `JUJU CONTEXT ID` has components including the application name, unit number, current hook, and a uint63 decimal number. The random number generator used is not cryptographically secure, making it highly predictable. There is no rate limiting on the abstract domain socket, allowing an unprivileged user to try multiple connections. **Recommendations** For versions prior to 2.9.51, upgrade to version 2.9.51 or later. For versions prior to 3.1.10, upgrade to version 3.1.10 or later. For versions prior to 3.3.7, upgrade to version 3.3.7 or later. For versions prior to 3.4.6, upgrade to version 3.4.6 or later. For versions prior to 3.5.4, upgrade to version 3.5.4 or later.

Name of the Vulnerable Software and Affected Versions: juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4 Description: The juju hook tool's abstract UNIX domain socket is vulnerable. When combined with an attack of `JUJU CONTEXT ID`, any user on the local system with access to the default network namespace may connect to the `/var/lib/juju/agents/unit-xxxx-yyyy/agent.socket` and perform actions that are normally reserved to a juju charm. Recommendations: For versions prior to 2.9.51, update to version 2.9.51 or later. For versions prior to 3.1.10, update to version 3.1.10 or later. For versions prior to 3.3.7, update to version 3.3.7 or later. For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 3.5.4, update to version 3.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Pebble versions prior to 1.10.2 Pebble versions 1.1.1, 1.4.2, and 1.7.4 are fixed versions, but all versions prior to 1.10.2 are considered vulnerable. **Description** The issue allows unprivileged local users to read files with root-equivalent permissions when Pebble is running as root. This is due to the read-file API and the associated pebble pull command allowing access from any user, instead of just admin. If an attacker gains local access to the container host, they could hit the Pebble `GET /v1/files?action=read` API and read any file in the workload container, including sensitive information such as ssh keys or database passwords. **Recommendations** For Pebble versions prior to 1.10.2, update to version 1.10.2 or later to resolve the issue. For Pebble versions prior to 1.1.1, 1.4.2, and 1.7.4, update to the respective fixed version to resolve the issue. As a temporary workaround, consider restricting access to the Pebble `GET /v1/files?action=read` API to minimize the risk of exploitation.