Hello Juju users,
Three vulnerabilities have been discovered in Juju’s access checks for several HTTP endpoints, as well as a zip file vulnerability which can be exploited by deploying a specially crafted charm file. The relevant security advisories are:
- Zip slip via authenticated endpoint
- Sensitive log retrieval via authenticated endpoint without authorization
- Arbitrary executable upload via authenticated endpoint without authorization
At the time of writing the CVE numbers have been reserved but not yet published. Please refer to the advisory links above for details of the issues. This post will be updated as soon as the CVEs are published.
As such, we have released patches for Juju to perform the correct permission checks on the affected endpoints and to mitigate against the Zip slip attack.
Please ensure you upgrade all Juju controllers ASAP.
| Vulnerable Juju version | Patched Juju version |
|---|---|
| <=2.9.51 | >=2.9.51 |
| <=3.6.7 | >=3.6.8 |
| 2.8.* | none |
| 3.1.* | none |
| 3.2.* | none |
| 3.3.* | none |
| 3.4.* | none |
| 3.5.* | none |
A reminder that Juju 2.x versions prior to 2.9, and 3.x versions prior to 3.6, are no longer receiving security updates. We highly recommend you upgrade controllers running these versions of Juju to the latest/nearest supported version.
Please reach out to us on Matrix if you have any questions or concerns.