【Vulnerability Alert】 XZ Utils has a high-risk security vulnerability (CVE-2024-3094). Please confirm and patch as soon as possible!
publish date :
2024-04-10
update date :
2024-04-15
Source: Ministry of education information & communication security contingency platform
Publication Number | TACERT-ANA-2024040901044545 | Publication Time | 2024/04/09 13:11 |
Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/04/09 13:11 |
Impact Level | Medium | ||
[Subject] 【Vulnerability Alert】 XZ Utils has a high-risk security vulnerability (CVE-2024-3094). Please confirm and patch as soon as possible! |
|||
[Content] Forwarded from the National Institute of Cyber Security NISAC-200-202404-00000021 Researchers have discovered that the XZ Utils data compression library has been targeted in a supply chain attack (CVE-2024-3094). A specific version of this program has been implanted with a backdoor. Some Linux distribution versions have installed the affected XZ Utils version. Please confirm and take corresponding actions based on official recommendations. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
[Affected Platform] ● Alpine ● Fedora 41, Fedora Rawhide, and Fedora Linux 40 beta ● Kali Linux ● openSUSE Tumbleweed and openSUSE MicroOS ● Debian ● XZ Utils 5.6.0 and 5.6.1 |
|||
[Recommended Actions] After confirming the version, please follow the official instructions to determine if an update is required or if it's necessary to downgrade the XZ Utils version: ● Alpine: https://security.alpinelinux.org/vuln/CVE-2024-3094 ● Debian: https://security-tracker.debian.org/tracker/CVE-2024-3094 ● Fedora: https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/ ● Kali Linux: https://www.kali.org/blog/about-the-xz-backdoor/ ● openSUSE: https://news.opensuse.org/2024/03/29/xz-backdoor/ |
|||
[Reference] 1. https://nvd.nist.gov/vuln/detail/CVE-2024-3094 2. https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know 3. https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/ 4. https://www.ithome.com.tw/news/162040 5. https://security.alpinelinux.org/vuln/CVE-2024-3094 6. https://security-tracker.debian.org/tracker/CVE-2024-3094 7. https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/ 8. https://www.kali.org/blog/about-the-xz-backdoor/ 9. https://www.suse.com/security/cve/CVE-2024-3094.html 10. https://news.opensuse.org/2024/03/29/xz-backdoor/ |
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center