Compliance Impact

CVE-2025-68153 allows any authenticated user, machine, or controller within a Juju controller to modify application resources across the entire controller without proper permission checks. This unauthorized modification capability can lead to resource poisoning, including altering container images or file-based resources, potentially enabling privilege escalation and unauthorized access to sensitive data.

Such unauthorized access and modification of application resources can compromise the confidentiality, integrity, and availability of data and systems managed by Juju. This poses significant risks to compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity to protect personal and health information.

Therefore, until patched, this vulnerability could lead to non-compliance with these regulations due to insufficient access controls and potential data breaches resulting from resource tampering.

Useful 0 Not Useful 0

Executive Summary

CVE-2025-68153 is a resource poisoning vulnerability in Juju controllers affecting versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19. The issue allows any authenticated user, machine, or controller within a Juju controller to modify application resources across the entire controller without proper permission checks.

The vulnerability arises because the resource handler only verifies that the requester is authenticated but does not enforce further permission checks. An attacker who knows the model UUID, application name, and resource name can upload malicious content to overwrite existing resources in the controller's cache.

This can lead to resource poisoning, such as replacing container images with malicious versions, potentially allowing attackers to gain unauthorized access or escalate privileges within the infrastructure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have significant security impacts by allowing attackers to modify application resources within any model in a Juju controller. For example, an attacker could replace a Docker image used by a Kubernetes Vault deployment with a malicious version, gaining root access to vault secrets.

Such unauthorized modifications can lead to privilege escalation, unauthorized access to sensitive data, and compromise of other systems connected to the Juju controller.

The impact is especially severe in deployments using OCI containers, where execution escalation is possible, but file-based resources could also be exploited depending on their security context.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized modification of Juju application resources via HTTP PUT requests to the resource handler endpoint. Detection involves monitoring for unexpected or unauthorized PUT requests to paths matching the pattern `/:modeluuid/applications/:application/resources/:resource` on Juju controllers.

To detect exploitation attempts, you can inspect Juju controller logs for PUT requests to resource upload endpoints, especially from authenticated users who should not have write permissions.

Suggested commands include using network monitoring or log inspection tools to filter HTTP PUT requests to the resource handler path. For example, using `grep` on Juju controller logs:

• grep 'PUT /' /var/log/juju/controller.log | grep '/applications/' | grep '/resources/'
• Use network packet capture tools like tcpdump or Wireshark to filter HTTP PUT requests to the Juju controller IP on port 17070 (default Juju API port):
• tcpdump -i eth0 -A 'tcp port 17070 and (((tcp[((tcp[12:1] & 0xf0) >> 2):4]) = 0x50455420))'

Additionally, verify the authentication and authorization logs to identify any authenticated users performing resource uploads without proper permissions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Juju to a patched version where this vulnerability is fixed. Specifically, upgrade to Juju versions 2.9.56 or later, or 3.6.19 or later.

These versions include a fix that enforces strict permission checks on resource uploads by separating upload and download handlers and requiring model write access for uploads.

Until you can upgrade, consider restricting access to the Juju controller API to trusted users only, and monitor for suspicious resource upload activity.

Review and tighten user permissions to ensure that only authorized users have write access to models and resources.

Implement network-level controls to limit access to the Juju controller API port and consider additional logging and alerting on resource modification attempts.

Useful 0 Not Useful 0