Skip to main content
IT Community Partnerships Indiana University

Important XZ Utils Linux Vulnerability – CVE-2024-3094

Posted on by mkleine

IT colleagues,

This notification is for a Linux vulnerability, and does not apply to Windows or macOS devices.

Malicious code has been discovered in versions 5.6 and 5.6.1 of XZ Utils, commonly found in many Linux distributions [1]. This code interferes with the authentication mechanism for sshd and could allow a remote attacker to gain full unauthorized access to a system.

The University Information Security Office (UISO) recommends that you check the current version, and roll back affected versions of XZ Utils to the last uncompromised version to mitigate the problem. Refer to your Linux version’s documentation for instructions. For university servers, take this action immediately. For other devices, take action as soon as possible.

Only the most recent versions of some Linux distributions are affected, including:

  • Red Hat: Fedora 41 and Fedora Rawhide
    • Red Hat’s recommendation is to “immediately stop using Fedora 41 or Fedora Rawhide until you can downgrade your xz version.” [2]
  • OpenSUSE Tumbleweed
  • Debian: No stable versions are affected, but testing, unstable, and experimental distributions are affected
  • Kali: Updates between March 26 and 29 were unsafe; updates outside that time will not have the vulnerable version [3]
  • Arch Linux: Some virtual machine and container images were affected [4]

SUSE has published a downgrade process [5]. They also note that SUSE Enterprise, Leap, BCI, Rancher, and Edge are not affected. [6]

RHEL is not considered to be vulnerable at this time. [7]

The maintainers of Mint, Gentoo, Amazon Linux, and Alpine Linux state that their distros are not affected.

If you have questions, please contact the UISO at uiso@iu.edu.

–IT Community Partnerships on behalf of the University Information Security Office

——

[1] CISA advisory: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

[2] https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

[3] https://www.kali.org/blog/about-the-xz-backdoor/

[4] https://archlinux.org/news/the-xz-package-has-been-backdoored/

[5] https://build.opensuse.org/request/show/1163302

[6] https://www.suse.com/c/suse-addresses-supply-chain-attack-against-xz-compression-library/

[7] https://access.redhat.com/security/cve/CVE-2024-3094

Skip to toolbar