News Minimalist logo

Critical XZ Utils vulnerability (CVE-2024-3094) compromises Linux systems

Help Net Security March 29, 2024, 07:00 PM UTC

Summary: A critical vulnerability (CVE-2024-3094) in XZ Utils may allow unauthorized access to Linux systems via sshd. Versions 5.6.0 and 5.6.1 of xz libraries contain malicious code. Red Hat warns Fedora 41 and Rawhide users to stop using affected packages. Debian advises updating xz-utils for testing, unstable, and experimental distributions. Red Hat, CISA, and other distributions collaborated to address the threat promptly. CISA recommends downgrading to a secure version like XZ Utils 5.4.6 Stable.

Full article

Article metrics

The article metrics are deprecated.

I'm replacing the original 8-factor scoring system with a new and improved one. It doesn't use the original factors and gives much better significance scores.

Timeline:

  1. [5.6]
    Volunteer engineer finds cybersecurity threat in XZ Utils (The Japan Times)
    151d 16h

    ScoresSource
  2. [5.5]
    XZ Utils backdoored for covert SSH access on Linux (Help Net Security)
    152d 12h

    ScoresSource
  3. [5.6]
    Malicious code found in XZ Utils on Good Friday (The Guardian)
    154d 10h

    ScoresSource
  4. [6.6]
    Andres Freund prevented cybersecurity breach in XZ Utils software (The Hindu)
    154d 20h

    ScoresSource
  5. [5.6]
    Andres Freund uncovers sabotage in XZ Utils, preventing crisis (The Japan Times)
    155d 0h

    ScoresSource
  6. [6.1]
    Backdoor discovered in XZ Utils by Microsoft developer (The Intercept)
    157d 2h

    ScoresSource
  7. [5.9]
    Free online scanner detects XZ Utils backdoor in Linux (TechRadar)
    157d 9h

    ScoresSource
  8. [6.2]
    Linux narrowly avoided cyber attack from XZ Utils backdoor (The Verge)
    158d 1h

    ScoresSource
  9. [5.7]
    Supply chain attack targets XZ Utils in Linux distributions (Cybersecurity Dive)
    158d 3h

    ScoresSource
  10. [7.2]
    Backdoor in XZ Utils allows unauthorized root access (WIRED)
    158d 16h

    ScoresSource
  11. [5.9]
    Backdoor in XZ Utils poses security risk in Linux (Nextgov/FCW)
    159d 9h

    ScoresSource
  12. [5.8]
    Critical Linux vulnerability; update XZ Utils before 5.6.0 (IT World Canada)
    159d 13h

    ScoresSource
  13. [5.9]
    Backdoor found in xz Utils for Linux systems (Ars Technica)
    159d 18h

    ScoresSource
  14. [6.3]
    Critical xz package vulnerability discovered on Debian, CVE-2024-3094 (TechRadar)
    160d 4h

    ScoresSource
  15. [5.9]
    XZ Utils compromised by maintainer "Jia Tan." (Help Net Security)
    160d 6h

    ScoresSource
  16. [6.6]
    Critical XZ Utils vulnerability allows unauthorized system access (Help Net Security)
    160d 17h

    ScoresSource
  17. [5.9]
    Critical security flaw in xz-utils threatens Linux and macOS (Security Boulevard)
    160d 20h

    ScoresSource
  18. [5.5]
    Malicious code in xz libraries poses security threat (The New Stack)
    161d 6h

    ScoresSource
  19. [4.3]
    Backdoor in xz compression utility version 5.6.0 discovered (SC Media)
    162d 1h
    Source
  20. [4.1]
    Backdoor found in xz Utils 5.6.0/5.6.1, affecting Linux distributions (Ars Technica)
    162d 5h
    Source