cve-2024-3094
Vulnerability from cvelistv5
Published
2024-03-29 16:51
Modified
2024-08-20 17:24
Severity ?
Summary
Xz: malicious code in distributed source
References
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/29/10
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/29/12
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/29/4
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/29/5
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/29/8
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/30/12
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/30/27
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/30/36
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/03/30/5
secalert@redhat.comhttp://www.openwall.com/lists/oss-security/2024/04/16/5
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-3094Vendor Advisory
secalert@redhat.comhttps://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
secalert@redhat.comhttps://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/Third Party Advisory
secalert@redhat.comhttps://aws.amazon.com/security/security-bulletins/AWS-2024-002/Third Party Advisory
secalert@redhat.comhttps://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
secalert@redhat.comhttps://boehs.org/node/everything-i-know-about-the-xz-backdoorThird Party Advisory
secalert@redhat.comhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024Mailing List, Vendor Advisory
secalert@redhat.comhttps://bugs.gentoo.org/928134Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2272210Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://bugzilla.suse.com/show_bug.cgi?id=1222124Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405Third Party Advisory
secalert@redhat.comhttps://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27Third Party Advisory
secalert@redhat.comhttps://github.com/advisories/GHSA-rxwq-x6h5-x525Third Party Advisory
secalert@redhat.comhttps://github.com/amlweems/xzbot
secalert@redhat.comhttps://github.com/karcherm/xz-malwareThird Party Advisory
secalert@redhat.comhttps://gynvael.coldwind.pl/?lang=en&id=782Technical Description, Third Party Advisory
secalert@redhat.comhttps://lists.debian.org/debian-security-announce/2024/msg00057.htmlMailing List, Third Party Advisory
secalert@redhat.comhttps://lists.freebsd.org/archives/freebsd-security/2024-March/000248.htmlThird Party Advisory
secalert@redhat.comhttps://lwn.net/Articles/967180/Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://news.ycombinator.com/item?id=39865810Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://news.ycombinator.com/item?id=39877267Issue Tracking
secalert@redhat.comhttps://news.ycombinator.com/item?id=39895344
secalert@redhat.comhttps://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/Third Party Advisory
secalert@redhat.comhttps://research.swtch.com/xz-script
secalert@redhat.comhttps://research.swtch.com/xz-timeline
secalert@redhat.comhttps://security-tracker.debian.org/tracker/CVE-2024-3094Third Party Advisory
secalert@redhat.comhttps://security.alpinelinux.org/vuln/CVE-2024-3094Third Party Advisory
secalert@redhat.comhttps://security.archlinux.org/CVE-2024-3094Third Party Advisory
secalert@redhat.comhttps://security.netapp.com/advisory/ntap-20240402-0001/
secalert@redhat.comhttps://tukaani.org/xz-backdoor/Issue Tracking, Vendor Advisory
secalert@redhat.comhttps://twitter.com/LetsDefendIO/status/1774804387417751958Third Party Advisory
secalert@redhat.comhttps://twitter.com/debian/status/1774219194638409898Press/Media Coverage
secalert@redhat.comhttps://twitter.com/infosecb/status/1774595540233167206Press/Media Coverage
secalert@redhat.comhttps://twitter.com/infosecb/status/1774597228864139400Press/Media Coverage
secalert@redhat.comhttps://ubuntu.com/security/CVE-2024-3094Third Party Advisory
secalert@redhat.comhttps://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094Third Party Advisory, US Government Resource
secalert@redhat.comhttps://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utilsThird Party Advisory
secalert@redhat.comhttps://www.kali.org/blog/about-the-xz-backdoor/
secalert@redhat.comhttps://www.openwall.com/lists/oss-security/2024/03/29/4Mailing List
secalert@redhat.comhttps://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-usersVendor Advisory
secalert@redhat.comhttps://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utilsThird Party Advisory
secalert@redhat.comhttps://www.theregister.com/2024/03/29/malicious_backdoor_xz/Press/Media Coverage
secalert@redhat.comhttps://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
secalert@redhat.comhttps://xeiaso.net/notes/2024/xz-vuln/Third Party Advisory
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3094",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-02T04:00:23.138684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-30T15:37:17.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:32:42.679Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.gentoo.org/928134"
          },
          {
            "name": "RHBZ#2272210",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/amlweems/xzbot"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/karcherm/xz-malware"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://gynvael.coldwind.pl/?lang=en\u0026id=782"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lwn.net/Articles/967180/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39865810"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39877267"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://news.ycombinator.com/item?id=39895344"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://research.swtch.com/xz-script"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://research.swtch.com/xz-timeline"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.archlinux.org/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240402-0001/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tukaani.org/xz-backdoor/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/debian/status/1774219194638409898"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/infosecb/status/1774595540233167206"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://twitter.com/infosecb/status/1774597228864139400"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://ubuntu.com/security/CVE-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.kali.org/blog/about-the-xz-backdoor/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://xeiaso.net/notes/2024/xz-vuln/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/tukaani-project/xz",
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "versions": [
            {
              "status": "affected",
              "version": "5.6.0"
            },
            {
              "status": "affected",
              "version": "5.6.1"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "xz",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Andres Freund for reporting this issue."
        }
      ],
      "datePublic": "2024-03-29T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Critical"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-506",
              "description": "Embedded Malicious Code",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-20T17:24:56.165Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-3094"
        },
        {
          "url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"
        },
        {
          "url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"
        },
        {
          "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"
        },
        {
          "url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"
        },
        {
          "url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"
        },
        {
          "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"
        },
        {
          "url": "https://bugs.gentoo.org/928134"
        },
        {
          "name": "RHBZ#2272210",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"
        },
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"
        },
        {
          "url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"
        },
        {
          "url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"
        },
        {
          "url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"
        },
        {
          "url": "https://github.com/amlweems/xzbot"
        },
        {
          "url": "https://github.com/karcherm/xz-malware"
        },
        {
          "url": "https://gynvael.coldwind.pl/?lang=en\u0026id=782"
        },
        {
          "url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"
        },
        {
          "url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"
        },
        {
          "url": "https://lwn.net/Articles/967180/"
        },
        {
          "url": "https://news.ycombinator.com/item?id=39865810"
        },
        {
          "url": "https://news.ycombinator.com/item?id=39877267"
        },
        {
          "url": "https://news.ycombinator.com/item?id=39895344"
        },
        {
          "url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"
        },
        {
          "url": "https://research.swtch.com/xz-script"
        },
        {
          "url": "https://research.swtch.com/xz-timeline"
        },
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"
        },
        {
          "url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"
        },
        {
          "url": "https://security.archlinux.org/CVE-2024-3094"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240402-0001/"
        },
        {
          "url": "https://tukaani.org/xz-backdoor/"
        },
        {
          "url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"
        },
        {
          "url": "https://twitter.com/debian/status/1774219194638409898"
        },
        {
          "url": "https://twitter.com/infosecb/status/1774595540233167206"
        },
        {
          "url": "https://twitter.com/infosecb/status/1774597228864139400"
        },
        {
          "url": "https://ubuntu.com/security/CVE-2024-3094"
        },
        {
          "url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"
        },
        {
          "url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"
        },
        {
          "url": "https://www.kali.org/blog/about-the-xz-backdoor/"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"
        },
        {
          "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"
        },
        {
          "url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"
        },
        {
          "url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"
        },
        {
          "url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"
        },
        {
          "url": "https://xeiaso.net/notes/2024/xz-vuln/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-03-29T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Xz: malicious code in distributed source",
      "x_redhatCweChain": "CWE-506: Embedded Malicious Code"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-3094",
    "datePublished": "2024-03-29T16:51:12.588Z",
    "dateReserved": "2024-03-29T15:38:13.249Z",
    "dateUpdated": "2024-08-20T17:24:56.165Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-3094\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2024-03-29T17:15:21.150\",\"lastModified\":\"2024-05-01T19:15:27.340\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \\r\\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 c\u00f3digo malicioso en los archivos tar ascendentes de xz, a partir de la versi\u00f3n 5.6.0. A trav\u00e9s de una serie de ofuscaciones complejas, el proceso de compilaci\u00f3n de liblzma extrae un archivo objeto premanipulado de un archivo de prueba disfrazado existente en el c\u00f3digo fuente, que luego se utiliza para modificar funciones espec\u00edficas en el c\u00f3digo de liblzma. Esto da como resultado una librer\u00eda liblzma modificada que puede ser utilizada por cualquier software vinculado a esta librer\u00eda, interceptando y modificando la interacci\u00f3n de datos con esta librer\u00eda.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-506\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"73F1DAD7-F362-4C5B-B980-2E5313C369DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"55782A0B-B9C5-4536-A885-84CAB7029C09\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/29/10\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/29/12\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/29/4\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/29/5\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/29/8\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/30/12\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/30/27\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/30/36\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/03/30/5\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/04/16/5\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://aws.amazon.com/security/security-bulletins/AWS-2024-002/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://boehs.org/node/everything-i-know-about-the-xz-backdoor\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://bugs.gentoo.org/928134\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2272210\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1222124\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-rxwq-x6h5-x525\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/amlweems/xzbot\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/karcherm/xz-malware\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://gynvael.coldwind.pl/?lang=en\u0026id=782\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-security-announce/2024/msg00057.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lwn.net/Articles/967180/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=39865810\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=39877267\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://news.ycombinator.com/item?id=39895344\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://research.swtch.com/xz-script\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://research.swtch.com/xz-timeline\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security-tracker.debian.org/tracker/CVE-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.alpinelinux.org/vuln/CVE-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.archlinux.org/CVE-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240402-0001/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://tukaani.org/xz-backdoor/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://twitter.com/LetsDefendIO/status/1774804387417751958\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://twitter.com/debian/status/1774219194638409898\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://twitter.com/infosecb/status/1774595540233167206\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://twitter.com/infosecb/status/1774597228864139400\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://ubuntu.com/security/CVE-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.kali.org/blog/about-the-xz-backdoor/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.openwall.com/lists/oss-security/2024/03/29/4\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.theregister.com/2024/03/29/malicious_backdoor_xz/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Press/Media Coverage\"]},{\"url\":\"https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://xeiaso.net/notes/2024/xz-vuln/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.