CVE - CVE-2024-3094

CVE-ID
CVE-2024-3094	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:RHBZ#2272210 URL:https://bugzilla.redhat.com/show_bug.cgi?id=2272210 MISC:https://access.redhat.com/security/cve/CVE-2024-3094 URL:https://access.redhat.com/security/cve/CVE-2024-3094 MISC:https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/ URL:https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/ MISC:https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ URL:https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ MISC:https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ URL:https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ MISC:https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz URL:https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz MISC:https://boehs.org/node/everything-i-know-about-the-xz-backdoor URL:https://boehs.org/node/everything-i-know-about-the-xz-backdoor MISC:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 URL:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 MISC:https://bugs.gentoo.org/928134 URL:https://bugs.gentoo.org/928134 MISC:https://bugzilla.suse.com/show_bug.cgi?id=1222124 URL:https://bugzilla.suse.com/show_bug.cgi?id=1222124 MISC:https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 URL:https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 MISC:https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 URL:https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 MISC:https://github.com/advisories/GHSA-rxwq-x6h5-x525 URL:https://github.com/advisories/GHSA-rxwq-x6h5-x525 MISC:https://github.com/amlweems/xzbot URL:https://github.com/amlweems/xzbot MISC:https://github.com/karcherm/xz-malware URL:https://github.com/karcherm/xz-malware MISC:https://gynvael.coldwind.pl/?lang=en&id=782 URL:https://gynvael.coldwind.pl/?lang=en&id=782 MISC:https://lists.debian.org/debian-security-announce/2024/msg00057.html URL:https://lists.debian.org/debian-security-announce/2024/msg00057.html MISC:https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html URL:https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html MISC:https://lwn.net/Articles/967180/ URL:https://lwn.net/Articles/967180/ MISC:https://news.ycombinator.com/item?id=39865810 URL:https://news.ycombinator.com/item?id=39865810 MISC:https://news.ycombinator.com/item?id=39877267 URL:https://news.ycombinator.com/item?id=39877267 MISC:https://news.ycombinator.com/item?id=39895344 URL:https://news.ycombinator.com/item?id=39895344 MISC:https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ URL:https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ MISC:https://research.swtch.com/xz-script URL:https://research.swtch.com/xz-script MISC:https://research.swtch.com/xz-timeline URL:https://research.swtch.com/xz-timeline MISC:https://security-tracker.debian.org/tracker/CVE-2024-3094 URL:https://security-tracker.debian.org/tracker/CVE-2024-3094 MISC:https://security.alpinelinux.org/vuln/CVE-2024-3094 URL:https://security.alpinelinux.org/vuln/CVE-2024-3094 MISC:https://security.archlinux.org/CVE-2024-3094 URL:https://security.archlinux.org/CVE-2024-3094 MISC:https://security.netapp.com/advisory/ntap-20240402-0001/ URL:https://security.netapp.com/advisory/ntap-20240402-0001/ MISC:https://tukaani.org/xz-backdoor/ URL:https://tukaani.org/xz-backdoor/ MISC:https://twitter.com/LetsDefendIO/status/1774804387417751958 URL:https://twitter.com/LetsDefendIO/status/1774804387417751958 MISC:https://twitter.com/debian/status/1774219194638409898 URL:https://twitter.com/debian/status/1774219194638409898 MISC:https://twitter.com/infosecb/status/1774595540233167206 URL:https://twitter.com/infosecb/status/1774595540233167206 MISC:https://twitter.com/infosecb/status/1774597228864139400 URL:https://twitter.com/infosecb/status/1774597228864139400 MISC:https://ubuntu.com/security/CVE-2024-3094 URL:https://ubuntu.com/security/CVE-2024-3094 MISC:https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 URL:https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 MISC:https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils URL:https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils MISC:https://www.kali.org/blog/about-the-xz-backdoor/ URL:https://www.kali.org/blog/about-the-xz-backdoor/ MISC:https://www.openwall.com/lists/oss-security/2024/03/29/4 URL:https://www.openwall.com/lists/oss-security/2024/03/29/4 MISC:https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users URL:https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users MISC:https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils URL:https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils MISC:https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ URL:https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ MISC:https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094 URL:https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094 MISC:https://xeiaso.net/notes/2024/xz-vuln/ URL:https://xeiaso.net/notes/2024/xz-vuln/
Assigning CNA
Red Hat, Inc.
Date Record Created
20240329	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240329)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)