Last week security researchers publicised a malicious back door in the XZ Utils library, a widely used suite of software that gives developers lossless compression and is commonly used for compressing software releases and Linux kernel images. The backdoor could, under certain circumstances be used to run unauthorised code via the encrypted SSH connection protocol.
The vulnerability has been given the formal title of CVE-2024-0394 and is being reported using the terms XZ backdoor
and XZ Utils backdoor
.
To date there are no known reports of the compromised version of XZ being part of any production releases for any of the major Linux distributions. However both RedHat and Debian have disclosed that the compromised version was part of recently published beta releases and Arch Linux was also affected. The compromised version also impacted macOS developers using the Homebrew package management system if they’d previously installed XZ as well as Windows developers running the WSL development environment.
At Kamma we have checked all of our platforms and services as well as all of our laptops and servers which run macOS, Linux and Windows and we would like to reassure our customers that Kamma is not impacted or affected by this compromised package.
However if you would like to discuss this in greater detail or require any further information, please contact us at support@kammadata.com.
More information on the technical aspects of this vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2024-3094.