{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/juju/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2025-68153"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["juju","resource-poisoning","privilege-escalation","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA resource poisoning vulnerability exists within Juju, a cloud orchestration tool. Any authenticated user, machine, or controller operating under a Juju controller can exploit this vulnerability to modify the resources of an application within the entire controller. The vulnerability stems from insufficient authorization checks in the resource handler, allowing unauthorized PUT and GET requests. A compromised workload with machine credentials can modify OCI resources for other models in the controller, such as replacing a legitimate Docker image with a trojan horse version. This vulnerability affects Juju versions prior to the fix in commit 26ff93c903d5, specifically in the go/github.com/juju/juju package. This can have significant consequences, including privilege escalation and unauthorized access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Juju controller as an authenticated user, machine, or controller. This could be via compromised credentials or a vulnerable workload already within the Juju environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the target model UUID, application name, and resource name they wish to poison. This information can be obtained through enumeration within the Juju environment or by leveraging publicly available charm information from Charmhub.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious resource, such as a trojan horse Docker image, that has the same file extension as the original resource.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a PUT request to the resource handler endpoint \u003ccode\u003e/:modeluuid/applications/:application/resources/:resources\u003c/code\u003e with the malicious resource.\u003c/li\u003e\n\u003cli\u003eThe Juju controller\u0026rsquo;s resource handler, lacking proper authorization checks, accepts the malicious resource and overwrites the existing resource in its cache.\u003c/li\u003e\n\u003cli\u003eWhen the target application attempts to retrieve the resource, it receives the poisoned version from the controller\u0026rsquo;s cache.\u003c/li\u003e\n\u003cli\u003eThe poisoned resource is executed or deployed within the target application\u0026rsquo;s environment, leading to compromise. In the case of a Docker image, this could lead to root access on the underlying system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised application (e.g., a Kubernetes vault) to access sensitive information, such as vault secrets, and further expand their access within the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to inject security vulnerabilities into other workloads managed by Juju. This can lead to privilege escalation, data breaches, and complete compromise of the Juju-managed environment. The most obvious impact is on deployments using OCI containers, where a malicious Docker image can grant an attacker execution escalation. In a Kubernetes environment managing vault secrets, an attacker could potentially gain root access to all vault secrets, seriously impacting the confidentiality and integrity of the data stored within. The specific impact depends on the type of resource poisoned and its role in the target application, but could be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Juju to a version containing the fix for CVE-2025-68153 to address the underlying vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement additional authorization checks and access controls within the Juju environment to restrict resource modification to authorized users and processes.\u003c/li\u003e\n\u003cli\u003eEnable and review Juju API server logs (category: webserver, product: linux) for suspicious PUT requests to resource handler endpoints, looking for unexpected resource modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthorized Juju Resource Modification\u0026rdquo; to your SIEM to detect unauthorized PUT requests to Juju resource endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T12:00:00Z","date_published":"2026-04-04T12:00:00Z","id":"/briefs/2026-04-juju-resource-poisoning/","summary":"An authenticated user, machine, or controller within a Juju controller can modify application resources due to a lack of authorization checks, potentially leading to resource poisoning and privilege escalation by uploading malicious resources.","title":"Juju Resource Poisoning Vulnerability Allows Unauthorized Resource Modification","url":"https://feed.craftedsignal.io/briefs/2026-04-juju-resource-poisoning/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["juju","dqlite","tls","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJuju, a service orchestration tool, contains a critical vulnerability related to improper TLS configuration within its Dqlite database cluster. This vulnerability affects Juju controller versions 3.2.0 up to 3.6.20 and 4.0.5. The lack of client certificate checking and server certificate verification allows an attacker with network route-ability to the Juju controller\u0026rsquo;s Dqlite cluster endpoint (port 17666) to join the cluster without proper authentication. This grants the attacker the ability to read and modify all information within the database, including sensitive user credentials and system configurations. Exploitation of this vulnerability enables privilege escalation, unauthorized access to resources, and potentially the ability to open firewall ports, leading to a complete compromise of the Juju controller and managed services. Patches are available in Juju versions 3.6.20 and 4.0.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains network access to the target Juju controller\u0026rsquo;s Dqlite cluster endpoint, typically port 17666.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like \u003ccode\u003edqlite-demo\u003c/code\u003e or a custom-built application leveraging the go-dqlite library to attempt to join the Dqlite cluster.\u003c/li\u003e\n\u003cli\u003eDue to the missing client certificate verification, the attacker\u0026rsquo;s connection is accepted without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker switches to the \u003ccode\u003econtroller\u003c/code\u003e database using the \u003ccode\u003e.switch controller\u003c/code\u003e command within the dqlite shell.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the \u003ccode\u003euser\u003c/code\u003e table to identify existing users and their associated privileges using \u003ccode\u003eselect * from user;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003edisplay_name\u003c/code\u003e of the \u003ccode\u003eadmin\u003c/code\u003e user within the \u003ccode\u003euser\u003c/code\u003e table using an \u003ccode\u003eupdate\u003c/code\u003e SQL command, for example: \u003ccode\u003eupdate user set display_name='Compromised Admin' where name='admin';\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker could further modify credentials, add new administrative users, or modify system configurations within the database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to escalate privileges, compromise managed services, and potentially open firewall ports, gaining complete control over the Juju environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely compromise the Juju controller. The attacker can read and modify all information within the Juju database, including user credentials, application configurations, and system settings. This can lead to the compromise of all applications and services managed by the Juju controller.  Privilege escalation allows the attacker to gain administrative control over the Juju environment. The ability to open firewall ports provides a pathway for lateral movement and further exploitation of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Juju controllers to versions 3.6.20 or 4.0.5 to apply the patches that address this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement restrictive firewall rules to limit access to port 17666 on Juju controllers, as recommended in the advisory. Ensure only other controller IP addresses can connect to this port.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unauthorized connections to the Dqlite database (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 17666 for unexpected source IP addresses (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T00:03:36Z","date_published":"2026-04-02T00:03:36Z","id":"/briefs/2026-04-juju-tls-vuln/","summary":"Juju controller versions 3.2.0 up to 3.6.20 and 4.0.5 are vulnerable to unauthorized database access due to improper TLS client/server authentication and certificate verification, allowing an attacker with network access to modify all information, escalate privileges, and open firewall ports.","title":"Juju Controller Vulnerable to Unauthorized Database Access Due to Improper TLS Configuration","url":"https://feed.craftedsignal.io/briefs/2026-04-juju-tls-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Juju","version":"https://jsonfeed.org/version/1.1"}