Thomas Miller

Name of the Vulnerable Software and Affected Versions Juju versions 3.2.0 through 3.6.19 and versions 4.0.0 through 4.0.4 Description A flaw exists in the Juju software where the internal Dqlite database cluster does not properly validate TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An attacker with network access to the Juju controller's Dqlite port can join the database cluster and gain full read and write access to the database, potentially leading to complete data compromise. Recommendations Update Juju to a version later than 4.0.4. Update Juju to a version later than 3.6.19.