CVE-2024-3094

Xz: malicious code in distributed source

Published: 3/29/2024 Last updated: 7/5/2025 Reserved: 3/29/2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	10	Critical	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Opam packages affected (3)

conf-libdw conf-liblzma gmp

Products affected (14)

Product	Vendor	Version
		Magento 2.2 prior to 2.2.10
Red Hat Enterprise Linux 10	Red Hat	< 4.22.2
Red Hat Enterprise Linux 6	Red Hat	20.3.2_925
Red Hat Enterprise Linux 7	Red Hat	3.0.0 p7
Red Hat Enterprise Linux 8	Red Hat	Magento 2.3 prior to 2.3.3 or 2.3.2-p1
Red Hat Enterprise Linux 9	Red Hat	3.1.0
Red Hat JBoss Enterprise Application Platform 8	Red Hat	20.3.2.1
		n/a
Red Hat Enterprise Linux 10	Red Hat	n/a
Red Hat Enterprise Linux 6	Red Hat	20.6.3.1
Red Hat Enterprise Linux 7	Red Hat	20.6.4
Red Hat Enterprise Linux 8	Red Hat	20.6.3.0.31
Red Hat Enterprise Linux 9	Red Hat	< e1c9d32c98309ae764893a481552d3f99d46cb34
Red Hat JBoss Enterprise Application Platform 8	Red Hat	n/a

References (116)

Credits (2)

Red Hat would like to thank Andres Freund for reporting this issue.
Red Hat would like to thank Andres Freund for reporting this issue.