LAST UPDATED April 25, 2024
CVE-2024-3094 was disclosed on March 28, 2024, and with a critical impact rating and a CVSS score of 10.0, highlights the importance of vigilance and proactive security measures.
Upon learning of CVE-2024-3094, members of our team conducted a thorough investigation to assess any potential exposure within our systems and products. ThreatX does not utilize the compromised XZ libraries (versions 5.6.0 or 5.6.1) and is therefore not vulnerable to the backdoor.
While we are confident in the security of our systems, our security team is actively monitoring the situation and engaging with the broader security community to stay abreast of any developments related to this CVE.
CVE-2024-3094 pertains to a malicious code discovery in the upstream tarballs of xz, specifically versions 5.6.0 and 5.6.1. Through complex obfuscations, the liblzma build process incorporates a prebuilt object file from a disguised test file, modifying the liblzma code. This alteration allows any software linked to this library to intercept and modify data interactions, posing a substantial risk.
The issue currently affects Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem, with no reported impact on Red Hat Enterprise Linux (RHEL) versions. It is crucial to note that the vulnerability stems from the tarball download package, with the Git distribution lacking the malicious M4 macro necessary for triggering the build of the compromised code. Nevertheless, the presence of second-stage artifacts in the Git repository underscores the potential for exploitation during build time if the M4 macro is inadvertently merged.
We encourage all organizations to review their systems for any use of the affected xz versions and to apply the necessary patches promptly. Also monitor official sources, such as the National Vulnerability Database (NVD) at CVE-2024-3094, for reliable updates and details regarding mitigation measures.
