Juju Resource Modification Vulnerability Allowing Unauthorized Resource Cache Poisoning

A vulnerability exists in Juju versions 2.9 prior to 2.9.56 and 3.6 prior to 3.6.19, allowing any authenticated user, machine, or controller under a Juju controller to modify application resources across the entire controller. This issue arises because the resource handler's authorization mechanism only requires basic authentication, without any additional permissions on the controller or individual models. As a result, the vulnerability can be exploited by uploading malicious resources that could, for example, compromise other workloads by injecting vulnerabilities through modified OCI container images.

Impact

Exploitation of this vulnerability allows for unauthorized modification of application resources, with the potential to inject security vulnerabilities into other workloads, particularly those using OCI containers, which could lead to escalation of privileges by accessing sensitive secrets, such as those managed by Vault.

Reproduction

To reproduce this vulnerability, authenticate as a user, machine, or controller in a Juju environment. Then, send a 'PUT' request to the resource handler without the necessary permissions, including the model UUID, application name, and resource name. The request can include a payload that modifies an existing resource or adds a new one, effectively poisoning the resource cache on the controller.

Remediation

Users can upgrade to Juju versions 2.9.56 or 3.6.19, where this vulnerability has been patched.