XZ-Utils Backdoor - CVE-2024-3094

Overview

On March 29th, 2024, software developer Andres Freund announced that he had found a backdoor in the Linux utility xz within the liblzma library - specifically versions 5.6.0 and 5.6.1. xz is commonly deployed as part of most Linux distributions. This backdoor gives an attacker with a specific private key the ability to perform remote code execution (RCE) on an affected system. It has been assigned a CVSS score of 10.0 - the highest possible.

Is Aiven Affected?

Aiven’s platform is unaffected by this vulnerability.

Upon disclosure, we performed a comprehensive review of all potentially affected systems. While we do leverage Fedora in a large portion of our underlying service infrastructure, we are not running any affected versions. Affected versions of Fedora are Fedora Rawhide and specific versions of Fedora 40: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

We will continue to monitor this situation as it develops and are committed to ensuring the continued security of our services.

References
https://en.wikipedia.org/wiki/XZ_Utils_backdoor

2 Likes