Описание
Vulnerable juju introspection abstract UNIX domain socket
Impact
An abstract UNIX domain socket responsible for introspection is available without authentication locally to any user with access to the network namespace where the local juju agent is running.
On a juju controller agent, denial of service can be performed by using the /leases/revoke endpoint. Revoking leases in juju can cause availability issues.
On a juju machine agent that is hosting units, disabling the unit component can be performed using the /units endpoint with a "stop" action.
Patches
Patch: https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b Patched in:
- 3.5.4
- 3.4.6
- 3.3.7
- 3.1.10
- 2.9.51
Workarounds
No workaround.
References
Ссылки
- https://github.com/juju/juju/security/advisories/GHSA-xwgj-vpm9-q2rq
- https://nvd.nist.gov/vuln/detail/CVE-2024-8038
- https://github.com/juju/juju/commit/43f0fc59790d220a457d4d305f484f62be556d3b
- https://github.com/juju/juju/blob/725800953aaa29dbeda4f806097bf838e61644dd/worker/introspection/worker.go#L125
- https://pkg.go.dev/vuln/GO-2024-3175
Пакеты
github.com/juju/juju
< 0.0.0-20240829052008-43f0fc59790d
0.0.0-20240829052008-43f0fc59790d
Связанные уязвимости
Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
Vulnerable juju introspection abstract UNIX domain socket. An abstract UNIX domain socket responsible for introspection is available without authentication locally to network namespace users. This enables denial of service attacks.
Vulnerable juju introspection abstract UNIX domain socket. An abstract ...
