Juju Controller Facade Cloud Credentials Exposure Vulnerability

An authorization vulnerability has been identified in the Juju Controller facade, affecting versions prior to 2.9.57 and 3.6.21. The issue allows an authenticated user to access sensitive cloud credentials by calling the CloudSpec API method. This vulnerability arises because the API is exposed to any client with login permission on the controller, without proper restrictions. As a result, a low-privileged user can extract credentials used to bootstrap the controller, potentially leading to unauthorized access or manipulation of cloud resources.

Impact

Exploitation of this vulnerability allows low-privileged users to access sensitive cloud credentials, which could be used to manipulate or access resources in the cloud environment where the Juju controller is deployed.

Remediation

To address this vulnerability, users should update to Juju versions 2.9.57 or 3.6.21. For those unable to update, the only mitigation is to restrict ingress to the controller API port 17070 on all controller machines for VM deployments, or the controller service for Kubernetes deployments. However, this restriction must consider the access requirements of the Juju CLI and other clients like libjuju or JAAS, which require ingress to port 17070.