XZ Utils backdoor

XZ Utils backdoor
	Previous XZ logo contributed by Jia Tan
CVE identifier(s)	CVE-2024-3094
Date discovered	at or before 27 March 2024
Date of public disclosure	29 March 2024
Date patched	29 March 2024
Discoverer	Andres Freund
Affected software	xz / liblzma library
Website	tukaani.org/xz-backdoor/

In February 2024, a malicious backdoor was introduced to the Linux build of the xz utility within the liblzma library in versions 5.6.0 and 5.6.1 by an account using the name "Jia Tan".^[b]^[4] The backdoor gives an attacker who possesses a specific Ed448 private key remote code execution through OpenSSH on the affected Linux system. The issue has been given the Common Vulnerabilities and Exposures number CVE-2024-3094 and has been assigned a CVSS score of 10.0, the highest possible score.^[5]

While xz is commonly present in most Linux distributions, at the time of discovery the backdoored version had not yet been widely deployed to production systems, but was present in development versions of major distributions.^[6] The backdoor was discovered by the software developer Andres Freund, who announced his findings on 29 March 2024.^[7]

^ "Understanding Red Hat's response to the XZ security incident". Retrieved 4 November 2024.
^ Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund. Retrieved 4 November 2024.
^ Collin, Lasse. "Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)". GitHub. Retrieved 19 June 2024.
^ James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
^ Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Archived from the original on 29 March 2024. Retrieved 29 March 2024.
^ "CVE-2024-3094". National Vulnerability Database. NIST. Archived from the original on 2 April 2024. Retrieved 2 April 2024.
^ Corbet, Jonathan. "A backdoor in xz". LWN. Archived from the original on 1 April 2024. Retrieved 2 April 2024.

Cite error: There are <ref group=lower-alpha> tags or {{efn}} templates on this page, but the references will not show without a {{reflist|group=lower-alpha}} template or {{notelist}} template (see the help page).

[1] "Understanding Red Hat's response to the XZ security incident". Retrieved 4 November 2024.

[2] Oxide and Friends 4/8/2024 -- Discovering the XZ Backdoor with Andres Freund. Retrieved 4 November 2024.

[4] Collin, Lasse. "Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094)". GitHub. Retrieved 19 June 2024.

[SamJames-6] James, Sam. "xz-utils backdoor situation (CVE-2024-3094)". GitHub. Archived from the original on 2 April 2024. Retrieved 2 April 2024.

[7] Gatlan, Sergiu. "Red Hat warns of backdoor in XZ tools used by most Linux distros". BleepingComputer. Archived from the original on 29 March 2024. Retrieved 29 March 2024.

[8] "CVE-2024-3094". National Vulnerability Database. NIST. Archived from the original on 2 April 2024. Retrieved 2 April 2024.

[9] Corbet, Jonathan. "A backdoor in xz". LWN. Archived from the original on 1 April 2024. Retrieved 2 April 2024.

[1]

[2]

[a]

[3]

[b]

[4]

[5]

[6]

[7]