Security Advisory: CVE Affecting Percona Monitoring and Management (PMM)

A critical security vulnerability has been identified in the following software that Percona has made available and that you may be using:  PMM 3.x installations (that is, 3.0 and forward). The Common Vulnerabilities and Exposures (CVE) identifier for this issue is on request from mitre.org.

Vulnerability details

We were notified via an external report that PMM Server 3.x installations incorporate several components affected by recent, highly relevant CVEs:

What Percona has done

• We have released PMM 3.4.1 to directly address these security concerns. This includes:
  • Upgrading Percona Toolkit to resolve a high-severity DoS vulnerability.
  • Removing the vulnerable clickhouse-diagnostics package to eliminate exposure from ClickHouse Go-related flaws.
  • Upgrading Nomad to v1.10.5 to mitigate the SSH agent dependency vulnerability (CVE-2025-8959).
  • Security patches are already included in the base Oracle Linux 9 OS that address the OpenSSL/OL9 CVE. We will apply those updates as soon as Oracle releases them publicly. 
• For transparency and broader security awareness, we will be publishing a public CVE for this issue.  

What you should do

• We strongly recommend that all users upgrade their PMM installation to version 3.4.1 immediately to apply the crucial security fixes:
  • Upgrading PMM 3: Upgrade your existing PMM 3 installation
  • Upgrading from PMM 2: Migrate from PMM 2 to PMM 
• Percona Managed Services customers: The team will work with you to upgrade your PMM to version 3.4.1 and Nomad (if previously deployed). If you have any questions, please open a ticket in our Percona Customer Portal. 
• Percona Support and Professional Services customers: If you need any assistance upgrading or reviewing your exposure, please contact our Services support team by opening a ticket in our Percona Customer Portal.

We’re here to help 

We are available to assist you 24/7 if you need further clarification or assistance: 

• Technical support portal for customers
• Technical support for community

Ensuring the security of your database infrastructure is our top priority. We thank you for your continued trust in Percona.

About the Author

Liz Warner
Liz Warner is Chief Technology Officer at Percona. Before joining Percona she was CTO at Weaveworks, an open source company in the Kubernetes space. She’s worked as a CTO for over a decade, with a background in software and infrastructure engineering. She’s led product/engineering organizations for companies like NatWest, Nationwide, and Toyota Connected, as well as leading teams and building systems for Mastercard and Apple. A native of California and graduate of UC Berkeley, she lives in the United Kingdom with her family.

Subscribe

Notify of

new follow-up comments new replies to my comments

Label

{} [+]

Name*

Email*

Website

Δ

Label

{} [+]

Name*

Email*

Website

Δ

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments