CVE-2024-8038

Name of the Vulnerable Software and Affected Versions: juju versions prior to 2.9.51 juju versions prior to 3.1.10 juju versions prior to 3.3.7 juju versions prior to 3.4.6 juju versions prior to 3.5.4

Description: The issue concerns an abstract UNIX domain socket used for juju introspection, which is available without authentication locally to network namespace users. This enables denial of service attacks. Specifically, on a juju controller agent, denial of service can be performed by using the "/leases/revoke" endpoint, which can cause availability issues. On a juju machine agent hosting units, disabling the unit component can be performed using the "/units" endpoint with a "stop" action.

Recommendations: For versions prior to 2.9.51, update to version 2.9.51 or later. For versions prior to 3.1.10, update to version 3.1.10 or later. For versions prior to 3.3.7, update to version 3.3.7 or later. For versions prior to 3.4.6, update to version 3.4.6 or later. For versions prior to 3.5.4, update to version 3.5.4 or later. As a temporary workaround, consider restricting access to the "/leases/revoke" and "/units" endpoints to minimize the risk of exploitation.