CVE-2024-3094 - Vulnerability Details

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Jboss Enterprise Application Platform
Tukaani	Xz

Configuration 1 [-]

OR	cpe:2.3:a:tukaani:xz:5.6.0:::::::*
	cpe:2.3:a:tukaani:xz:5.6.1:::::::*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://access.redhat.com/security/cve/CVE-2024-3094
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
https://bugs.gentoo.org/928134
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
https://bugzilla.suse.com/show_bug.cgi?id=1222124
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://github.com/advisories/GHSA-rxwq-x6h5-x525
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware
https://gynvael.coldwind.pl/?lang=en&id=782
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
https://lwn.net/Articles/967180/
https://news.ycombinator.com/item?id=39865810
https://news.ycombinator.com/item?id=39877267
https://news.ycombinator.com/item?id=39895344
https://nvd.nist.gov/vuln/detail/CVE-2024-3094
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://security.archlinux.org/CVE-2024-3094
https://security.netapp.com/advisory/ntap-20240402-0001/
https://tukaani.org/xz-backdoor/
https://twitter.com/LetsDefendIO/status/1774804387417751958
https://twitter.com/debian/status/1774219194638409898
https://twitter.com/infosecb/status/1774595540233167206
https://twitter.com/infosecb/status/1774597228864139400
https://ubuntu.com/security/CVE-2024-3094
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
https://www.cve.org/CVERecord?id=CVE-2024-3094
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
https://www.kali.org/blog/about-the-xz-backdoor/
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln/

History

Thu, 06 Feb 2025 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-03-29T16:51:12.588Z

Updated: 2025-02-06T08:24:55.066Z

Reserved: 2024-03-29T15:38:13.249Z

Link: CVE-2024-3094

Vulnrichment

Updated: 2024-08-01T19:32:42.679Z

NVD

Status : Modified

Published: 2024-03-29T17:15:21.150

Modified: 2025-02-06T09:15:10.820

Link: CVE-2024-3094

Redhat

Severity : Critical

Publid Date: 2024-03-29T00:00:00Z

Links: CVE-2024-3094 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3094", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-03-29T15:38:13.249Z", "datePublished": "2024-03-29T16:51:12.588Z", "dateUpdated": "2025-02-06T08:24:55.066Z"}, "containers": {"cna": {"title": "Xz: malicious code in distributed source", "metrics": [{"other": {"content": {"value": "Critical", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."}], "affected": [{"versions": [{"status": "affected", "version": "5.6.0"}, {"status": "affected", "version": "5.6.1"}], "packageName": "xz", "collectionURL": "https://github.com/tukaani-project/xz", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "xz", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "xz", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "xz", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "xz", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "xz", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-3094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210", "name": "RHBZ#2272210", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"}, {"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"}], "datePublic": "2024-03-29T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "description": "Embedded Malicious Code", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-506: Embedded Malicious Code", "timeline": [{"lang": "en", "time": "2024-03-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-03-29T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Andres Freund for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-06T08:24:55.066Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-02T04:00:23.138684Z", "id": "CVE-2024-3094", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T15:37:17.662Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.679Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-3094", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/", "tags": ["x_transferred"]}, {"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/", "tags": ["x_transferred"]}, {"url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz", "tags": ["x_transferred"]}, {"url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor", "tags": ["x_transferred"]}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024", "tags": ["x_transferred"]}, {"url": "https://bugs.gentoo.org/928134", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210", "name": "RHBZ#2272210", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124", "tags": ["x_transferred"]}, {"url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525", "tags": ["x_transferred"]}, {"url": "https://github.com/amlweems/xzbot", "tags": ["x_transferred"]}, {"url": "https://github.com/karcherm/xz-malware", "tags": ["x_transferred"]}, {"url": "https://gynvael.coldwind.pl/?lang=en&id=782", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html", "tags": ["x_transferred"]}, {"url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html", "tags": ["x_transferred"]}, {"url": "https://lwn.net/Articles/967180/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39865810", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39877267", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39895344", "tags": ["x_transferred"]}, {"url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/", "tags": ["x_transferred"]}, {"url": "https://research.swtch.com/xz-script", "tags": ["x_transferred"]}, {"url": "https://research.swtch.com/xz-timeline", "tags": ["x_transferred"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.alpinelinux.org/vuln/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.archlinux.org/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0001/", "tags": ["x_transferred"]}, {"url": "https://tukaani.org/xz-backdoor/", "tags": ["x_transferred"]}, {"url": "https://twitter.com/LetsDefendIO/status/1774804387417751958", "tags": ["x_transferred"]}, {"url": "https://twitter.com/debian/status/1774219194638409898", "tags": ["x_transferred"]}, {"url": "https://twitter.com/infosecb/status/1774595540233167206", "tags": ["x_transferred"]}, {"url": "https://twitter.com/infosecb/status/1774597228864139400", "tags": ["x_transferred"]}, {"url": "https://ubuntu.com/security/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094", "tags": ["x_transferred"]}, {"url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils", "tags": ["x_transferred"]}, {"url": "https://www.kali.org/blog/about-the-xz-backdoor/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4", "tags": ["x_transferred"]}, {"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils", "tags": ["x_transferred"]}, {"url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094", "tags": ["x_transferred"]}, {"url": "https://xeiaso.net/notes/2024/xz-vuln/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/12", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/27", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/12", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/10", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/36", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/16/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/8", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/4", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-3094", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/", "tags": ["x_transferred"]}, {"url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/", "tags": ["x_transferred"]}, {"url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/", "tags": ["x_transferred"]}, {"url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz", "tags": ["x_transferred"]}, {"url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor", "tags": ["x_transferred"]}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024", "tags": ["x_transferred"]}, {"url": "https://bugs.gentoo.org/928134", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210", "name": "RHBZ#2272210", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124", "tags": ["x_transferred"]}, {"url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27", "tags": ["x_transferred"]}, {"url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525", "tags": ["x_transferred"]}, {"url": "https://github.com/amlweems/xzbot", "tags": ["x_transferred"]}, {"url": "https://github.com/karcherm/xz-malware", "tags": ["x_transferred"]}, {"url": "https://gynvael.coldwind.pl/?lang=en&id=782", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html", "tags": ["x_transferred"]}, {"url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html", "tags": ["x_transferred"]}, {"url": "https://lwn.net/Articles/967180/", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39865810", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39877267", "tags": ["x_transferred"]}, {"url": "https://news.ycombinator.com/item?id=39895344", "tags": ["x_transferred"]}, {"url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/", "tags": ["x_transferred"]}, {"url": "https://research.swtch.com/xz-script", "tags": ["x_transferred"]}, {"url": "https://research.swtch.com/xz-timeline", "tags": ["x_transferred"]}, {"url": "https://security-tracker.debian.org/tracker/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.alpinelinux.org/vuln/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.archlinux.org/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240402-0001/", "tags": ["x_transferred"]}, {"url": "https://tukaani.org/xz-backdoor/", "tags": ["x_transferred"]}, {"url": "https://twitter.com/LetsDefendIO/status/1774804387417751958", "tags": ["x_transferred"]}, {"url": "https://twitter.com/debian/status/1774219194638409898", "tags": ["x_transferred"]}, {"url": "https://twitter.com/infosecb/status/1774595540233167206", "tags": ["x_transferred"]}, {"url": "https://twitter.com/infosecb/status/1774597228864139400", "tags": ["x_transferred"]}, {"url": "https://ubuntu.com/security/CVE-2024-3094", "tags": ["x_transferred"]}, {"url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094", "tags": ["x_transferred"]}, {"url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils", "tags": ["x_transferred"]}, {"url": "https://www.kali.org/blog/about-the-xz-backdoor/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4", "tags": ["x_transferred"]}, {"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils", "tags": ["x_transferred"]}, {"url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094", "tags": ["x_transferred"]}, {"url": "https://xeiaso.net/notes/2024/xz-vuln/", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/12", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/27", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/12", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/10", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/36", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/16/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/8", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/30/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/29/4", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.679Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-04-02T04:00:23.138684Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-29T18:42:23.582Z"}}], "cna": {"title": "Xz: malicious code in distributed source", "credits": [{"lang": "en", "value": "Red Hat would like to thank Andres Freund for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Critical", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "5.6.0"}, {"status": "affected", "version": "5.6.1"}], "packageName": "xz", "collectionURL": "https://github.com/tukaani-project/xz", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "xz", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "xz", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "xz", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "xz", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "xz", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-03-29T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-03-29T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-3094", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210", "name": "RHBZ#2272210", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"}, {"url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"}], "descriptions": [{"lang": "en", "value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-506", "description": "Embedded Malicious Code"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-02-06T08:24:55.066Z"}, "x_redhatCweChain": "CWE-506: Embedded Malicious Code"}}, "cveMetadata": {"cveId": "CVE-2024-3094", "state": "PUBLISHED", "dateUpdated": "2025-02-06T08:24:55.066Z", "dateReserved": "2024-03-29T15:38:13.249Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-03-29T16:51:12.588Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "73F1DAD7-F362-4C5B-B980-2E5313C369DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "55782A0B-B9C5-4536-A885-84CAB7029C09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \r\nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."}, {"lang": "es", "value": "Se descubri\u00f3 c\u00f3digo malicioso en los archivos tar ascendentes de xz, a partir de la versi\u00f3n 5.6.0. A trav\u00e9s de una serie de ofuscaciones complejas, el proceso de compilaci\u00f3n de liblzma extrae un archivo objeto premanipulado de un archivo de prueba disfrazado existente en el c\u00f3digo fuente, que luego se utiliza para modificar funciones espec\u00edficas en el c\u00f3digo de liblzma. Esto da como resultado una librer\u00eda liblzma modificada que puede ser utilizada por cualquier software vinculado a esta librer\u00eda, interceptando y modificando la interacci\u00f3n de datos con esta librer\u00eda."}], "id": "CVE-2024-3094", "lastModified": "2025-02-06T09:15:10.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-29T17:15:21.150", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-3094"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"}, {"source": "secalert@redhat.com", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/29/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/29/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/29/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/29/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/29/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/30/12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/30/27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/30/36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/03/30/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/04/16/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/AWS-2024-002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://boehs.org/node/everything-i-know-about-the-xz-backdoor"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.gentoo.org/928134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1222124"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-rxwq-x6h5-x525"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/amlweems/xzbot"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/karcherm/xz-malware"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://gynvael.coldwind.pl/?lang=en&id=782"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-security-announce/2024/msg00057.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://lwn.net/Articles/967180/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=39865810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://news.ycombinator.com/item?id=39877267"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://news.ycombinator.com/item?id=39895344"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://research.swtch.com/xz-script"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://research.swtch.com/xz-timeline"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.alpinelinux.org/vuln/CVE-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.archlinux.org/CVE-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240402-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://tukaani.org/xz-backdoor/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://twitter.com/LetsDefendIO/status/1774804387417751958"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://twitter.com/debian/status/1774219194638409898"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://twitter.com/infosecb/status/1774595540233167206"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://twitter.com/infosecb/status/1774597228864139400"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://ubuntu.com/security/CVE-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kali.org/blog/about-the-xz-backdoor/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/03/29/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Press/Media Coverage"], "url": "https://www.theregister.com/2024/03/29/malicious_backdoor_xz/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://xeiaso.net/notes/2024/xz-vuln/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-506"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Andres Freund for reporting this issue.", "bugzilla": {"description": "xz: malicious code in distributed source", "id": "2272210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272210"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-506", "details": ["Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. \nThrough a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library."], "name": "CVE-2024-3094", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "xz", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3094\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3094\nhttps://www.openwall.com/lists/oss-security/2024/03/29/4\nhttps://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users"], "statement": "Current investigation indicates that the packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. \nNo versions of Red Hat Enterprise Linux (RHEL) are affected.\nThe malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is only included in the tarball download package. The Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present. Without the merge into the build, the 2nd-stage file is innocuous.\nIn the finder\u2019s demonstration, it was found that it interfered with the OpenSSH daemon. While OpenSSH is not directly linked to the liblzma library, it does communicate with systemd in such a way that exposes it to the malware due to systemd linking to liblzma.", "threat_severity": "Critical"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object