CVE-2024-8038: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2024-8038 affects the juju introspection system, specifically involving an abstract UNIX domain socket vulnerability. The vulnerability was discovered and disclosed on October 2, 2024, affecting juju versions <= 3.5.3, <= 3.4.5, <= 3.3.6, <= 3.2.4, <= 3.1.9, and <= 2.9.50. The issue exists in the introspection socket which is available without proper authentication to network namespace users (GitHub Advisory).

The vulnerability involves an abstract UNIX domain socket responsible for introspection that is accessible without authentication locally to any user with access to the network namespace where the local juju agent is running. The vulnerability has been assigned a CVSS v3.1 base score of 7.9 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H. The weakness has been categorized as CWE-420 (Unprotected Alternate Channel) (GitHub Advisory, NVD).

The vulnerability has two main impact vectors: On a juju controller agent, attackers can perform denial of service by exploiting the /leases/revoke endpoint, which can cause availability issues. On a juju machine agent hosting units, attackers can disable the unit component using the /units endpoint with a 'stop' action (GitHub Advisory).

The vulnerability has been patched in versions 3.5.4, 3.4.6, 3.3.7, 3.1.10, and 2.9.51. The fix was implemented through patch 43f0fc5. No workarounds are available for unpatched systems (GitHub Advisory).