Critical remote code execution vulnerability in XZ Library (CVE-2024-3094)

Imechapishwa: Apr 03, 2024 08:58

Advisory No: TZCERT/SA/2024/04/02

Source: Arch Linux, Red Hat

Software Affected: XZ Library versions 5.6.0 and 5.6.1

Overview

Description

Advisory No: TZCERT/SA/2024/04/02

Date of First Release: 2nd April 2024

Source: Arch Linux, Red Hat

Software Affected: XZ Library versions 5.6.0 and 5.6.1

Overview:

Arch Linux and Red Hat have released security patches to address a critical vulnerability affecting the xz library. The vulnerability could allow an attacker to execute arbitrary code.

Description:

Xz is a general-purpose data compression format present in nearly every Linux distribution. This library is affected by a critical vulnerability tracked as CVE-2024-3094. The vulnerability is the result of the absence of M4 macro files that contain the instructions for building with automakes in the tarballs. This issue results in additional software modification thus leading to arbitrary code execution.

Impact:

Successful exploitation of this vulnerability may allow the attacker to take control of the affected system.

Solution:

Multiple Operating System vendors have released patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://security.archlinux.org/ASA-202403-1
  2. https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

Impact

Solution

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio