A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client certificates when a new node attempts to join the cluster. An unauthenticated attacker with network reachability to the Juju controller's Dqlite port can exploit this flaw to join the database cluster. Once joined, the attacker gains full read and write access to the underlying database, allowing for total data compromise.
The Juju controller uses an internal Dqlite database cluster, which should require mutual TLS authentication (mTLS) when joining new nodes. The vulnerability exists because the database endpoint does not verify client certificates when a new node attempts to join the cluster. An attacker who is network-reachable on the Dqlite controller port can establish a connection without any credentials and register as a new cluster node. After successfully joining, the attacker gains full read and write permissions to the entire database.
An attacker can gain full read and write access to the Juju internal database, resulting in complete compromise of confidentiality and integrity of stored data, and potentially also takeover of control of the managed infrastructure.
Juju should be updated to version 3.6.19 or newer (for the 3.x branch) or to version 4.0.4 or newer (for the 4.x branch). Additionally, it is recommended to restrict network access to the Dqlite controller port to trusted hosts only using a firewall or network rules.
Canonical Juju in versions from 3.2.0 to 3.6.18 (before 3.6.19) and in versions from 4.0 to 4.0.3 (before 4.0.4)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCanonical Juju
APPCanonical3.2.0 – 3.6.20 (bez)4.0 – 4.0.5 (bez)
Related vulnerabilities
Canonical Juju — nieuprawniony dostęp do poświadczeń chmury przez Controller facade
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appr...
Juju is an open source application orchestration engine that enables any application operation on any infrastr...
An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 thro...
In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correct...