10.0
CRITICAL
CVE-2024-3094
"xz Liblzma Backdoor"
Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

INFO

Published Date :

March 29, 2024, 5:15 p.m.

Last Modified :

May 1, 2024, 7:15 p.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

6.0

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2024-3094 has a 131 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-3094 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Tukaani xz
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-3094.

URL Resource
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://access.redhat.com/security/cve/CVE-2024-3094 Vendor Advisory
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ Third Party Advisory
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Mailing List Vendor Advisory
https://bugs.gentoo.org/928134 Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210 Issue Tracking Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1222124 Issue Tracking Third Party Advisory
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525 Third Party Advisory
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782 Technical Description Third Party Advisory
https://lists.debian.org/debian-security-announce/2024/msg00057.html Mailing List Third Party Advisory
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Third Party Advisory
https://lwn.net/Articles/967180/ Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39865810 Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=39877267 Issue Tracking
https://news.ycombinator.com/item?id=39895344
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ Third Party Advisory
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094 Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094 Third Party Advisory
https://security.archlinux.org/CVE-2024-3094 Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0001/
https://tukaani.org/xz-backdoor/ Issue Tracking Vendor Advisory
https://twitter.com/LetsDefendIO/status/1774804387417751958 Third Party Advisory
https://twitter.com/debian/status/1774219194638409898 Press/Media Coverage
https://twitter.com/infosecb/status/1774595540233167206 Press/Media Coverage
https://twitter.com/infosecb/status/1774597228864139400 Press/Media Coverage
https://ubuntu.com/security/CVE-2024-3094 Third Party Advisory
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 Third Party Advisory US Government Resource
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils Third Party Advisory
https://www.kali.org/blog/about-the-xz-backdoor/
https://www.openwall.com/lists/oss-security/2024/03/29/4 Mailing List
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Vendor Advisory
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils Third Party Advisory
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ Press/Media Coverage
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln/ Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
ugongmk/ugongmk

None

JavaScript

Updated: 2 weeks, 6 days ago
0 stars 0 fork 0 watcher
Born at : Oct. 16, 2024, 3 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
felipecruz91/high-profile-demo

None

Makefile Dockerfile Go

Updated: 1 month, 1 week ago
0 stars 0 fork 0 watcher
Born at : Sept. 24, 2024, 1:37 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
Technetium1/stars

My stars. View raw for full list.

Updated: 1 month, 4 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 8, 2024, 6:44 p.m. This repo has been linked 8 different CVEs too.
Profile Photo
Jappie3/starred

None

Updated: 1 month, 4 weeks ago
0 stars 0 fork 0 watcher
Born at : July 21, 2024, 11:33 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
yq93dskimzm2/CVE-2024-3094

Just a script to test if xz is vulnerable to the cve 2024-3094.

Rust

Updated: 3 months, 4 weeks ago
1 stars 0 fork 0 watcher
Born at : July 8, 2024, 3:57 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
robertdfrench/ifuncd-up

GNU IFUNC is the real culprit behind CVE-2024-3094

cve-2024-3094 dynamic-loading xz-utils-backdoor ifunc global-offset-table procedure-linkage-table relro ssh systemd elf glibc supply-chain memes dynamic-linking

Makefile C Dockerfile

Updated: 2 months ago
11 stars 1 fork 1 watcher
Born at : July 5, 2024, 6:36 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
DANO-AMP/CVE-2024-3094

SSH EXPLOIT BYPASS AUTH SSH

C

Updated: 2 months, 4 weeks ago
1 stars 0 fork 0 watcher
Born at : July 5, 2024, 12:02 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
shefirot/CVE-2024-3094

Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster

Shell

Updated: 4 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : June 11, 2024, 2:19 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
v-myildiz/XZBot

None

Go Python

Updated: 4 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : June 10, 2024, 12:32 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
dparksports/detect_intrusion

None

Shell

Updated: 5 months ago
0 stars 0 fork 0 watcher
Born at : May 30, 2024, 10:23 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
mauvehed/starred

A dynamically generated and organized list of repositories I've starred on GitHub

Updated: 1 month, 4 weeks ago
1 stars 0 fork 0 watcher
Born at : May 26, 2024, 4:16 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
AndreaCicca/Sicurezza-Informatica-Presentazione

Presentazione per il corsi di sicurezza Informatica sulla vulnerabilità CVE-2024-3094

TeX

Updated: 2 months ago
0 stars 0 fork 0 watcher
Born at : May 22, 2024, 3:33 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
orhun/flawz

A Terminal UI for browsing security vulnerabilities (CVEs)

cve cve-search ratatui ratatui-rs rust security security-vulnerability tui vulnerability vulnerability-search terminal-ui terminal-user-interface

Rust

Updated: 1 month, 4 weeks ago
347 stars 9 fork 9 watcher
Born at : May 15, 2024, 5:09 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
neuralinhibitor/xzwhy

XZ Utils CVE-2024-3094 POC for Kubernetes

Updated: 2 months ago
4 stars 0 fork 0 watcher
Born at : April 18, 2024, 1:08 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
chadsr/stars

Starred Repositories

starred starred-repositories

Updated: 1 month, 4 weeks ago
0 stars 0 fork 0 watcher
Born at : April 17, 2024, 11:35 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-3094 vulnerability anywhere in the article.

  • The Hacker News
Leveraging Wazuh for Zero Trust security

Zero Trust security changes how organizations handle security by doing away with implicit trust while continuously analyzing and validating access requests. Contrary to perimeter-based security, users ... Read more

Published Date: Nov 05, 2024 (12 hours, 58 minutes ago)
CVE-2024-3094
  • BleepingComputer
How open source SIEM and XDR tackle evolving threats

In today's cybersecurity landscape, evolving threats require security solutions that match the sophistication of modern threats. As businesses rapidly adopt emerging technologies, their exposure to cy ... Read more

Published Date: Oct 09, 2024 (3 weeks, 6 days ago)
CVE-2024-3094
  • Kaspersky
IT threat evolution Q2 2024

Targeted attacks XZ backdoor: a supply chain attack in the making On March 29, a message on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility in ... Read more

Published Date: Sep 03, 2024 (2 months ago)
CVE-2024-30051 CVE-2024-3094 CVE-2023-36033
  • Kaspersky
APT trends report Q2 2024

For over six years now, Kaspersky’s Global Research and Analysis Team (GReAT) has been sharing quarterly updates on advanced persistent threats (APTs). These summaries draw on our threat intelligence ... Read more

Published Date: Aug 13, 2024 (2 months, 3 weeks ago)
CVE-2024-3094

The following table lists the changes that have been made to the CVE-2024-3094 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    May. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/29/12 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/04/16/5 [No types assigned]
  • CVE Modified by [email protected]

    May. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/30/27 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/29/10 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/30/36 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/29/8 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/30/5 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/29/5 [No types assigned]
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/29/4 [No types assigned]
  • CVE Modified by [email protected]

    May. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. http://www.openwall.com/lists/oss-security/2024/03/30/12 [No types assigned]
  • CVE Modified by [email protected]

    Apr. 12, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz [No types assigned]
  • CVE Modified by [email protected]

    Apr. 03, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/ [No types assigned]
    Added Reference Red Hat, Inc. https://research.swtch.com/xz-timeline [No types assigned]
    Added Reference Red Hat, Inc. https://research.swtch.com/xz-script [No types assigned]
  • CVE Modified by [email protected]

    Apr. 03, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://www.kali.org/blog/about-the-xz-backdoor/ [No types assigned]
  • CVE Modified by [email protected]

    Apr. 02, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://security.netapp.com/advisory/ntap-20240402-0001/ [No types assigned]
  • CVE Modified by [email protected]

    Apr. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://github.com/amlweems/xzbot [No types assigned]
    Added Reference Red Hat, Inc. https://news.ycombinator.com/item?id=39895344 [No types assigned]
    Added Reference Red Hat, Inc. https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094 [No types assigned]
  • Initial Analysis by [email protected]

    Apr. 01, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Changed Reference Type https://access.redhat.com/security/cve/CVE-2024-3094 No Types Assigned https://access.redhat.com/security/cve/CVE-2024-3094 Vendor Advisory
    Changed Reference Type https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ No Types Assigned https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ Third Party Advisory
    Changed Reference Type https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ No Types Assigned https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ Third Party Advisory
    Changed Reference Type https://boehs.org/node/everything-i-know-about-the-xz-backdoor No Types Assigned https://boehs.org/node/everything-i-know-about-the-xz-backdoor Third Party Advisory
    Changed Reference Type https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 No Types Assigned https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 Mailing List, Vendor Advisory
    Changed Reference Type https://bugs.gentoo.org/928134 No Types Assigned https://bugs.gentoo.org/928134 Issue Tracking, Third Party Advisory
    Changed Reference Type https://bugzilla.redhat.com/show_bug.cgi?id=2272210 No Types Assigned https://bugzilla.redhat.com/show_bug.cgi?id=2272210 Issue Tracking, Vendor Advisory
    Changed Reference Type https://bugzilla.suse.com/show_bug.cgi?id=1222124 No Types Assigned https://bugzilla.suse.com/show_bug.cgi?id=1222124 Issue Tracking, Third Party Advisory
    Changed Reference Type https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 No Types Assigned https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 Third Party Advisory
    Changed Reference Type https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 No Types Assigned https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 Third Party Advisory
    Changed Reference Type https://github.com/advisories/GHSA-rxwq-x6h5-x525 No Types Assigned https://github.com/advisories/GHSA-rxwq-x6h5-x525 Third Party Advisory
    Changed Reference Type https://github.com/karcherm/xz-malware No Types Assigned https://github.com/karcherm/xz-malware Third Party Advisory
    Changed Reference Type https://gynvael.coldwind.pl/?lang=en&id=782 No Types Assigned https://gynvael.coldwind.pl/?lang=en&id=782 Technical Description, Third Party Advisory
    Changed Reference Type https://lists.debian.org/debian-security-announce/2024/msg00057.html No Types Assigned https://lists.debian.org/debian-security-announce/2024/msg00057.html Mailing List, Third Party Advisory
    Changed Reference Type https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html No Types Assigned https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html Third Party Advisory
    Changed Reference Type https://lwn.net/Articles/967180/ No Types Assigned https://lwn.net/Articles/967180/ Issue Tracking, Third Party Advisory
    Changed Reference Type https://news.ycombinator.com/item?id=39865810 No Types Assigned https://news.ycombinator.com/item?id=39865810 Issue Tracking, Third Party Advisory
    Changed Reference Type https://news.ycombinator.com/item?id=39877267 No Types Assigned https://news.ycombinator.com/item?id=39877267 Issue Tracking
    Changed Reference Type https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ No Types Assigned https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ Third Party Advisory
    Changed Reference Type https://security.alpinelinux.org/vuln/CVE-2024-3094 No Types Assigned https://security.alpinelinux.org/vuln/CVE-2024-3094 Third Party Advisory
    Changed Reference Type https://security.archlinux.org/CVE-2024-3094 No Types Assigned https://security.archlinux.org/CVE-2024-3094 Third Party Advisory
    Changed Reference Type https://security-tracker.debian.org/tracker/CVE-2024-3094 No Types Assigned https://security-tracker.debian.org/tracker/CVE-2024-3094 Third Party Advisory
    Changed Reference Type https://tukaani.org/xz-backdoor/ No Types Assigned https://tukaani.org/xz-backdoor/ Issue Tracking, Vendor Advisory
    Changed Reference Type https://twitter.com/debian/status/1774219194638409898 No Types Assigned https://twitter.com/debian/status/1774219194638409898 Press/Media Coverage
    Changed Reference Type https://twitter.com/infosecb/status/1774595540233167206 No Types Assigned https://twitter.com/infosecb/status/1774595540233167206 Press/Media Coverage
    Changed Reference Type https://twitter.com/infosecb/status/1774597228864139400 No Types Assigned https://twitter.com/infosecb/status/1774597228864139400 Press/Media Coverage
    Changed Reference Type https://twitter.com/LetsDefendIO/status/1774804387417751958 No Types Assigned https://twitter.com/LetsDefendIO/status/1774804387417751958 Third Party Advisory
    Changed Reference Type https://ubuntu.com/security/CVE-2024-3094 No Types Assigned https://ubuntu.com/security/CVE-2024-3094 Third Party Advisory
    Changed Reference Type https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 No Types Assigned https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 Third Party Advisory, US Government Resource
    Changed Reference Type https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils No Types Assigned https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils Third Party Advisory
    Changed Reference Type https://www.openwall.com/lists/oss-security/2024/03/29/4 No Types Assigned https://www.openwall.com/lists/oss-security/2024/03/29/4 Mailing List
    Changed Reference Type https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users No Types Assigned https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users Vendor Advisory
    Changed Reference Type https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils No Types Assigned https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils Third Party Advisory
    Changed Reference Type https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ No Types Assigned https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ Press/Media Coverage
    Changed Reference Type https://xeiaso.net/notes/2024/xz-vuln/ No Types Assigned https://xeiaso.net/notes/2024/xz-vuln/ Third Party Advisory
    Added CPE Configuration OR *cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:* *cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Apr. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://twitter.com/LetsDefendIO/status/1774804387417751958 [No types assigned]
  • CVE Modified by [email protected]

    Apr. 01, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://ubuntu.com/security/CVE-2024-3094 [No types assigned]
    Added Reference Red Hat, Inc. https://github.com/advisories/GHSA-rxwq-x6h5-x525 [No types assigned]
    Added Reference Red Hat, Inc. https://bugs.gentoo.org/928134 [No types assigned]
    Added Reference Red Hat, Inc. https://lists.debian.org/debian-security-announce/2024/msg00057.html [No types assigned]
    Added Reference Red Hat, Inc. https://twitter.com/debian/status/1774219194638409898 [No types assigned]
    Added Reference Red Hat, Inc. https://twitter.com/infosecb/status/1774597228864139400 [No types assigned]
    Added Reference Red Hat, Inc. https://twitter.com/infosecb/status/1774595540233167206 [No types assigned]
    Added Reference Red Hat, Inc. https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 [No types assigned]
    Added Reference Red Hat, Inc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024 [No types assigned]
    Added Reference Red Hat, Inc. https://github.com/karcherm/xz-malware [No types assigned]
    Added Reference Red Hat, Inc. https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405 [No types assigned]
    Added Reference Red Hat, Inc. https://xeiaso.net/notes/2024/xz-vuln/ [No types assigned]
    Added Reference Red Hat, Inc. https://lwn.net/Articles/967180/ [No types assigned]
    Added Reference Red Hat, Inc. https://boehs.org/node/everything-i-know-about-the-xz-backdoor [No types assigned]
    Added Reference Red Hat, Inc. https://tukaani.org/xz-backdoor/ [No types assigned]
  • CVE Modified by [email protected]

    Mar. 31, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://news.ycombinator.com/item?id=39877267 [No types assigned]
    Added Reference Red Hat, Inc. https://gynvael.coldwind.pl/?lang=en&id=782 [No types assigned]
  • CVE Modified by [email protected]

    Mar. 30, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html [No types assigned]
  • CVE Modified by [email protected]

    Mar. 30, 2024

    Action Type Old Value New Value
    Added Reference Red Hat, Inc. https://news.ycombinator.com/item?id=39865810 [No types assigned]
    Added Reference Red Hat, Inc. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/ [No types assigned]
    Added Reference Red Hat, Inc. https://www.theregister.com/2024/03/29/malicious_backdoor_xz/ [No types assigned]
    Added Reference Red Hat, Inc. https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 [No types assigned]
    Added Reference Red Hat, Inc. https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils [No types assigned]
    Added Reference Red Hat, Inc. https://aws.amazon.com/security/security-bulletins/AWS-2024-002/ [No types assigned]
    Added Reference Red Hat, Inc. https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils [No types assigned]
    Added Reference Red Hat, Inc. https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/ [No types assigned]
    Added Reference Red Hat, Inc. https://bugzilla.suse.com/show_bug.cgi?id=1222124 [No types assigned]
    Added Reference Red Hat, Inc. https://security.archlinux.org/CVE-2024-3094 [No types assigned]
    Added Reference Red Hat, Inc. https://security.alpinelinux.org/vuln/CVE-2024-3094 [No types assigned]
    Added Reference Red Hat, Inc. https://security-tracker.debian.org/tracker/CVE-2024-3094 [No types assigned]
  • CVE Modified by [email protected]

    Mar. 29, 2024

    Action Type Old Value New Value
    Changed Description Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions. Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
  • CVE Received by [email protected]

    Mar. 29, 2024

    Action Type Old Value New Value
    Added Description Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.
    Added Reference Red Hat, Inc. https://access.redhat.com/security/cve/CVE-2024-3094 [No types assigned]
    Added Reference Red Hat, Inc. https://bugzilla.redhat.com/show_bug.cgi?id=2272210 [No types assigned]
    Added Reference Red Hat, Inc. https://www.openwall.com/lists/oss-security/2024/03/29/4 [No types assigned]
    Added Reference Red Hat, Inc. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users [No types assigned]
    Added CWE Red Hat, Inc. CWE-506
    Added CVSS V3.1 Red Hat, Inc. AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-3094 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-3094 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: