Vulnerability DatabaseCVE-2024-3094
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-3094
March 29, 2024
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (58)
https://github.com/advisories/GHSA-rxwq-x6h5-x525
https://ubuntu.com/security/CVE-2024-3094
http://www.openwall.com/lists/oss-security/2024/03/29/5
https://seclists.org/oss-sec/2024/q1/268
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://gynvael.coldwind.pl/?lang=en&id=782
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/30/27
https://security-tracker.debian.org/tracker/CVE-2024-3094
http://www.openwall.com/lists/oss-security/2024/03/30/36
https://bugzilla.suse.com/show_bug.cgi?id=1222124
https://tukaani.org/xz-backdoor/
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
https://news.ycombinator.com/item?id=39895344
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://access.redhat.com/security/cve/CVE-2024-3094
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
https://security.netapp.com/advisory/ntap-20240402-0001/
https://github.com/karcherm/xz-malware
https://twitter.com/infosecb/status/1774597228864139400
https://twitter.com/LetsDefendIO/status/1774804387417751958
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/30/5
https://lwn.net/Articles/967180/
https://twitter.com/debian/status/1774219194638409898
https://xeiaso.net/notes/2024/xz-vuln/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
https://security.archlinux.org/CVE-2024-3094
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
https://bugs.gentoo.org/928134
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://github.com/amlweems/xzbot
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
https://github.com/libarchive/libarchive/pull/1609
https://news.ycombinator.com/item?id=39865810
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.kali.org/blog/about-the-xz-backdoor/
https://twitter.com/infosecb/status/1774595540233167206
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://github.com/tukaani-project/xz/commit/6e636819e8f070330d835fce46289a3ff72a7b89
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
http://www.openwall.com/lists/oss-security/2024/03/29/8
https://research.swtch.com/xz-timeline
https://research.swtch.com/xz-script
https://lists.debian.org/debian-security-announce/2024/msg00057.html
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://news.ycombinator.com/item?id=39877267
Do you need more information?
Contact Us
CVSS v4
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
10
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Embedded Malicious Code
CWE-506
EPSS
Base Score:
85.19