TL;DR :
A backdoor was introduced into the XZ Linux utility via supply chain compromise. The backdoor impacts newer Linux distributions within the last 30 days.
The details:
- On March 29, 2024 (today), researchers identified a backdoor in the XZ Linux utility. Many standard Linux applications use the XZ utility, and it’s included in many distributions by default.
- The XZ Linux utility is used by a variety of software, most notably the Secure Shell Protocol (SSH). Other software versions besides the affected Linux distributions may be affected. At this time, we do not have a comprehensive list of what software may be built from the affected Linux distributions and subsequently their usage of the compromised XZ Linux utility.
- This issue is tracked as CVE-2024-3094.
Why we are telling you:
- Linux distributions in your environment may be impacted if they use XZ 5.6.0 And 5.6.1
- Expel and our assemblers are not impacted
Immediate recommendations:
- Identify hosts running XZ version 5.6.0 or 5.6.1 and downgrade to 5.4.6 or earlier.
- Involve your internal security and development teams to validate only the unaffected version of XZ being used in your environment.
References:
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/