Juju controllers running version 3.2.0 and later expose a critical flaw in their Dqlite database cluster. Attackers need only network reachability to the cluster endpoint—typically on port 17666—to join the cluster, read all data, modify users, escalate privileges, and punch holes in firewalls. No authentication beyond basic connectivity. This stems from missing client certificate checks on the server side and absent server certificate validation on the client, opening doors to man-in-the-middle attacks.
Juju, Canonical’s open-source tool for orchestrating deployments across clouds and bare metal, relies on Dqlite—a lightweight, distributed SQLite variant—for high-availability controllers. Since version 3.2.0 in late 2022, controllers default to Dqlite clustering for resilience. But the TLS implementation in internal/database/node.go skips essential verification steps. Lines 312-324 reveal the server accepts any client connection without cert checks, while clients blindly trust servers. The code:
// This is a simplified excerpt; full context at the linked commit
tlsConfig := &tls.Config{
InsecureSkipVerify: true, // Client skips server cert verification
// No client cert requirement enforced
}
This isn’t theoretical. A proof-of-concept demonstrates full takeover in minutes. Bootstrap a fresh controller on LXD:
$ juju bootstrap lxd a
# Output shows controller at 10.151.236.15, users: admin, juju-metrics, everyone@external
Grab the Dqlite demo tool (a simple client from Dqlite’s repo). Join the cluster using the controller’s IP and port 17666:
$ dqlite-demo --db 192.168.1.25:9999 --join 10.151.236.15:17666
demo> .switch controller
controller> select * from user;
# Lists admin user details
controller> update user set display_name='Silly Admin' where name='admin';
# Modifies admin display name instantly
Log back into Juju as admin—the change persists. Attackers can now add users, grant superuser access, deploy machines, or expose services. In production, this means owning models with OpenStack, Kubernetes, or custom workloads managed by the controller.
Scope and Affected Versions
Every Juju controller since 3.2.0 uses Dqlite by default for HA setups with three or more machines. Single-machine controllers dodge this if not clustered, but scaling triggers exposure. Juju 4.0+ (latest as of mid-2024 is 3.5.x beta toward 4.0) inherits the issue. Over 10,000 controllers bootstrap monthly per public metrics; enterprises in telco, finance, and HPC lean on it for MAAS-integrated bare metal.
Network assumptions matter: Controllers bind Dqlite to controller machine IPs. Firewalls often restrict this, but misconfigs or cloud VPC peering expose it. Public clouds amplify risk—anyone routing to the endpoint wins.
Implications: Total Controller Compromise
This vulnerability grants root-level access. Juju controllers centralize authentication, model management, and charm deployments. Attackers read secrets (cloud credentials, API keys), deploy malicious workloads, or pivot to underlying infrastructure. In multi-tenant setups, one exposed controller spills across teams.
Why it matters: Juju underpins production at scale—Charmed Kubernetes runs thousands of clusters; OpenStack clouds span data centers. A breach cascades: stolen credentials lead to cloud account takeovers, ransomware vectors via opened ports, or persistence in clustered setups. Canonical patched this in recent commits (post-001318f commit), but users on stable 3.3/3.4 must upgrade manually. No CVE yet, but GitHub advisory flags it critical.
Skeptical take: Juju’s niche but sticky userbase assumes tight networks. Yet history shows firewall fatigue—recall Log4Shell exposing “internal” services. Test your setup: Scan for port 17666/tcp from external hosts. If open, you’re live fire.
Fix now: Upgrade to latest developed branch or 3.5.x if available. Disable Dqlite clustering for non-HA (use juju enable-ha --config raft=false, fallback to legacy). Audit logs for unauthorized joins. Rotate all controller credentials post-patch. In security terms, this is CVSS 9.1+ territory—high impact, network attack vector, no privileges needed.
