The Digital Security Authority (DSA) wants to bring to your attention, a critical security vulnerability has been discovered in the xz data compression library, commonly used in Linux distributions.

Technical Details

A critical security vulnerability (CVSS score: 10) has been discovered in the xz data compression library, commonly used in Linux distributions. This vulnerability allows for a malicious backdoor to be potentially installed, granting unauthorized remote access via SSH.

Critical Vulnerability Details:

• CVE-2024-3094 (CVSS Score: 10 Critical): Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.

Affected Versions:

• xz versions 5.6.0 and 5.6.1
• Current reports indicate that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem.
• No versions of Red Hat Enterprise Linux (RHEL) are affected.
• XZ Utils may be present in other Linux distributions such as Debian unstable (Sid), Alpine edge, Arch Linux, openSUSE Tumbleweed, and openSUSE MicroOS.

Fixed Versions:

• Fedora Users: Update to the patched version of xz as soon as possible. For Rawhide users, consider avoiding the system for now as it might be rolled back to a previous xz version.
• Other Linux Users: Check your distribution's update channels to see if xz 5.6.0 or 5.6.1 is installed and update accordingly.

Recommendations

The Digital Security Authority recommends to downgrade XZ Utils to an uncompromised version or install the patches and hunt for any malicious activity.

References

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

The information presented in this report is based on available data up to the 1st of April 2024.