.png)
Red Hat Linux released advisory on CVE-2024-3094, rated as critical with a CVSS score of 10. This vulnerability is a result of a supply chain compromise impacting the latest versions of XZ tools and libraries.
XZ is a form of lossless data compression found on Unix-like operating systems, frequently compared to other popular compression formats like gzip and bzip2. XZ Utils, a command line utility, encompasses features for both compressing and decompressing XZ files.
A backdoor has been identified in XZ Utils versions 5.6.0 and 5.6.1 which under some condition may allow malicious attacker to perform SSH authentication bypass in specific versions of certain Linux distributions. It was identified by security researcher when investigating failing ssh logins resulting high CPU loads. Currently Microsoft has disabled the malicious XZ Utils repository maintained by the Tukaani Project "due to a violation of GitHub's terms of service." and there are currently no reports of active exploitation in the wild.
It is highly recommended to review and currently downgrade to XZ Utils version earlier than 5.6.0
No comments:
Post a Comment