CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
95.8%
Severity: Critical
Date : 2024-03-29
CVE-ID : CVE-2024-3094
Package : xz
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2851
The package xz before version 5.6.1-2 is vulnerable to arbitrary code
execution.
Upgrade to 5.6.1-2.
The problem has been fixed upstream in version 5.6.1.
None.
Malicious code was discovered in the upstream tarballs of xz, starting
with version 5.6.0. The tarballs included extra .m4 files, which
contained instructions for building with automake that did not exist in
the repository. These instructions, through a series of complex
obfuscations, extract a prebuilt object file from one of the test
archives, which is then used to modify specific functions in the code
while building the liblzma package. This issue results in liblzma being
used by additional software, like sshd, to provide functionality that
will be interpreted by the modified functions.
The malicious code path does not exist in the arch version of sshd, as
it does not link to liblzma.
However, out of an abundance of caution, we advise users to avoid the
vulnerable code in their system as it is possible it could be triggered
from other, un-identified vectors.
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://security.archlinux.org/CVE-2024-3094