CVE-2024-7558

Name of the Vulnerable Software and Affected Versions juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4

Description The JUJU CONTEXT ID is a predictable authentication secret. On a Juju machine or Juju charm container, an unprivileged user in the same network namespace can connect to an abstract domain socket and guess the JUJU CONTEXT ID value. This gives the unprivileged user access to the same information and tools as the Juju charm. The JUJU CONTEXT ID has components including the application name, unit number, current hook, and a uint63 decimal number. The random number generator used is not cryptographically secure, making it highly predictable. There is no rate limiting on the abstract domain socket, allowing an unprivileged user to try multiple connections.

Recommendations For versions prior to 2.9.51, upgrade to version 2.9.51 or later. For versions prior to 3.1.10, upgrade to version 3.1.10 or later. For versions prior to 3.3.7, upgrade to version 3.3.7 or later. For versions prior to 3.4.6, upgrade to version 3.4.6 or later. For versions prior to 3.5.4, upgrade to version 3.5.4 or later.