CVE-2024-3094:Critical vulnerability in upstream xz tarballs (versions 5.6.0 and 5.6.1) that enables a backdoor in the liblzma library, allowing data interception or modification by any software linked against the affected library. Exploitation is possible remotely over the network with no privileges and no user interaction.

splash
Back

Description Preview

Malicious code was discovered in the upstream tarballs of xz starting with version 5.6.0. Through a series of obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file within the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against it to intercept and modify data interacting with the library. The impact is rated as Critical, with CVSS 3.1 metrics indicating network exploitation, no required privileges, no user interaction, and aChanged scope affecting confidentiality, integrity, and availability. Affected releases include upstream 5.6.0 and 5.6.1, and multiple distributions (including Red Hat Enterprise Linux) have issued advisories and public statements. The issue is categorized under Embedded Malicious Code (CWE-506) and has generated extensive coverage across security mailing lists, vendor advisories, and press.

Overview

The CVE describes a critical supply-chain style flaw in xz where malicious code is embedded into upstream tarballs, resulting in a modified liblzma library that can be leveraged by any linked software to intercept or alter data interactions with that library. The vulnerability has a network vector, requires no privileges, and does not require user interaction, making it broadly dangerous across affected systems. Versions 5.6.0 and 5.6.1 are confirmed as affected, and multiple vendors and upstream community discussions have circulated advisories and analyses. The root cause centers on embedded malicious code within the source distribution, underscoring the importance of secure build pipelines, verified sources, and robust supply-chain controls.

Remediation

  • Upgrade to a fixed upstream release of xz (beyond 5.6.1). Apply the upstream patch or a distribution-provided update that contains the fix (e.g., a 5.6.2+ release) and verify the integrity of the updated binaries.
  • For Red Hat customers, apply the vendor security advisory and update the xz package in your RHEL 6, 7, 8, and 9 deployments using the appropriate package manager (yum/dnf) and following Red Hat guidance. Reboot or restart affected services as recommended.
  • Rebuild all software that links against liblzma from trusted sources after updating xz, and re-test critical workflows to ensure the patched library is in use.
  • Validate the integrity of downloaded tarballs and source code with checksums and signatures; enforce strict provenance checks in your build pipelines to prevent inclusion of prebuilt or disguised artifacts.
  • Audit and harden build pipelines:
    • Disable or detect prebuilt object files embedded in source trees.
    • Implement reproducible builds and code signing for all third-party components.
    • Introduce mandatory verification steps (hash/signature verification) before accepting external sources.
  • Monitor for indicators of compromise in your environment (unexpected liblzma variations, modified binaries, or unusual build artifacts) and review access controls to the build and distribution pipelines.
  • If upgrading is not immediately possible, mitigate by restricting usage of affected xz components where feasible and by isolating build processes from untrusted inputs, while keeping an eye on vendor advisories for a timely fix.
  • After applying fixes, perform a targeted security test plan focusing on data interactions through liblzma and validate that no malicious code paths remain in the patched library.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Low
    Manufacturing
  2. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  3. Finance and Insurance: Low
    Finance and Insurance
  4. Transportation & Warehousing: Low
    Transportation & Warehousing
  5. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  6. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  7. Educational Services: Low
    Educational Services
  8. Information: Low
    Information
  9. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  10. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  11. Accommodation & Food Services: Low
    Accommodation & Food Services
  12. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  13. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  14. Construction: Low
    Construction
  15. Mining: Low
    Mining
  16. Public Administration: Low
    Public Administration
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Retail Trade: Low
    Retail Trade
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Vendors

Red Hat
Red Hat
Red Hat
Red Hat Enterprise Linux 6
  1. cpe:/o:redhat:enterprise_linux:6
Red Hat
Red Hat
Red Hat
Red Hat Enterprise Linux 7
  1. cpe:/o:redhat:enterprise_linux:7
Red Hat
Red Hat
Red Hat
Red Hat Enterprise Linux 8
  1. cpe:/o:redhat:enterprise_linux:8
Red Hat
Red Hat
Red Hat
Red Hat Enterprise Linux 9
  1. cpe:/o:redhat:enterprise_linux:9
Red Hat
Red Hat
Red Hat
Red Hat JBoss Enterprise Application Platform 8
  1. cpe:/a:redhat:jboss_enterprise_application_platform:8

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background