Juju security bulletin - CVE-2024-3250

Hello Juju users,

Last week a vulnerability was discovered in Pebble’s access controls for the file pull API.


It was discovered that Canonical’s Pebble service manager read-file API and the associated pebble pull command, before v1.10.2, allowed unprivileged local users to read files with root-equivalent permissions when Pebble was running as root. Fixes are also available as backports to v1.1.1, v1.4.2, and v1.7.4.

As such, we have released patches for Juju to close off the file API to only root/pebble-daemon-owner by incorporating patched Pebble versions.

Please ensure you upgrade all Kubernetes controllers and Kubernetes models ASAP.

Vulnerable Juju version Patched Juju version
<=2.9.48 >=2.9.49
3.0.* >=3.1.8
<=3.1.7 >=3.1.8
3.2.* >=3.3.4
<=3.3.3 >=3.3.4
<=3.4.1 >=3.4.2

A reminder that Juju versions prior to 2.9, in addition to 3.0 and 3.2 are no longer receiving security updates. We highly recommend you upgrade systems running these versions of Juju to the latest/nearest supported version.

Please reach out to us on Matrix if you have any questions or concerns.