← Go back to Info :: LinuxServer.io

Regarding CVE-2024-3094 - Supply Chain Compromise Affecting XZ Utils

March 29, 2024 at 10:00 PM

Vulnerabilities

Resolved after 288h 0m April 10, 2024 at 10:00 PM

Update - 2024-04-10

At this point we are comfortable that there was and is no risk to any of our images as a result of the XZ backdoor and are considering the issue resolved.

Update - 2024-03-30

Further analysis of the exploit code indicates that it is only functional on amd64 hardware running glibc and a deb or rpm-based Linux distribution. The original CISA alert stated that the exploit could allow remote code execution, however, it remains unclear exactly what the payload was intended to do and so they have changed their description to “may allow unauthorized access to affected systems”.

As best we can tell at this point, none of our images were or are impacted by this vulnerability, but our original recommendations remain in place.

Original Post

A supply chain compromise has been discovered in the XZ Utils data compression library, being tracked under CVE-2024-3094, which could allow remote code execution under certain circumstances. The original report is available here if you are interested in the technical details.

We have evaluated all of our current base images for indications that they may be vulnerable to this exploit:

  • Our Ubuntu, Debian, and Fedora base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.
  • Our Arch base image did contain an affected version of XZ Utils, and we have now pushed an updated build that includes a fixed version of the XZ package.
  • Our Alpine Edge base image did contain an affected version of XZ Utils, but did not appear to be vulnerable due to the exploit’s dependency on glibc, and we have now pushed an updated build that includes a fixed version of the XZ package.
  • Our other Alpine base images are using older versions of XZ Utils which do not appear to contain the vulnerable code.

So far the only exploitation path that has been observed is via SSH, and so in the vast majority of cases could not be exploited in any of our container environments, but we always recommend that you ensure any internet-facing containers are properly secured and kept up to date.

We will update this post as and when more information becomes available.

Last updated: April 10, 2024 at 7:51 PM

© Info :: LinuxServer.io, 2024   •   Back to top

LinuxServer.io Status page

Powered by cState

⚡ Subscribe via RSS — to all updates