Skip to content
PERCONA MONITORING AND MANAGEMENT DOCUMENTATION

Get free database assistance or contact our experts for personalized support.

Get help from Percona

Percona Monitoring and Management 3.4.1

Release date: October 13, 2025

Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to:

  • monitor the health and performance of your database systems
  • identify patterns and trends in database behavior
  • diagnose and resolve issues faster with actionable insights
  • manage databases across on-premises, cloud, and hybrid environments

🆕 Release summary

PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and dependency upgrades to enhance stability and security.

🔒 Security updates

Nomad Denial-of-Service (DOS) vulnerability (CVE-2025-8959)

PMM includes Nomad, which is currently affected by a high-severity DoS vulnerability originating from Go crypto library.

The risk is minimal for typical PMM deployments because Nomad is disabled by default. We strongly recommend keeping Nomad disabled to prevent exposure.

We’ve upgraded Nomad to v1.10.5 and continue monitoring the upstream project. Once a fully patched version becomes available, we will include the fix into an upcoming PMM release.

Fixed: DoS in Percona Toolkit (Logrus)

Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability in the github.com/sirupsen/logrus dependency. This flaw could previously crash Percona Toolkit commands, disrupting PMM data collection.

False-positive reported CVEs (PMM not affected)

Security scanning tools may flag the following CVEs. After a thorough review, we have confirmed that PMM 3.4.1 is not affected by these vulnerabilities.

OpenSSL cipher processing (CVE-2023-5363)

PMM is not affected by this vulnerability.

The openssl-libs package included in PMM’s Oracle Linux 9 base operating system already contains the necessary security fix for this OpenSSL cipher processing issue. You can verify this in Oracle’s official security advisory ELSA-2024-0627.

Remote code execution in Python Setuptools (CVE-2024-6345)

PMM is not affected by this vulnerability.

The PMM image’s base OS, Oracle Linux 9, ships with python3-setuptools version 53.0.0-13.el9_6.1, which already includes the fix that addresses this vulnerability. You can confirm this though Oracle’s security advisory ELSA-2024-5534.

PMM is not affected by this vulnerability.

This vulnerability was discovered in ClickHouse version 23.8.2.7, the database engine that PMM uses for storing performance metrics. The vulnerability stems from an older version of Go (1.19.10) that was used to compile ClickHouse components.

The vulnerability specifically affects the clickhouse-diagnostics utility, which is a diagnostic tool that PMM does not use in its operations. To completely eliminate any potential exposure, we have removed the clickhouse-diagnostics package entirely from PMM 3.4.1.

We are planning a ClickHouse version upgrade for PMM 3.5.0, which will include an updated Go runtime and bring additional performance improvements and security enhancements.

Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602)

These vulnerabilities affect the openssl-libs package that comes with PMM’s Oracle Linux 9 base image.

Oracle has released patches for these vulnerabilities, but they are distributed exclusively through Ksplice, Oracle’s live patching service, available only to customers with Premier Support.

Because PMM uses only publicly available repositories, we cannot include these Ksplice-only updates in the current release.

We assess this risk as low, as PMM is usually deployed in controlled environments. We will apply the updates as soon as Oracle releases them publicly for Oracle Linux.

🚀 Ready to upgrade to PMM 3.4.1?

❓ Questions or issues?

Visit our community forum or open an issue on GitHub.