vulnerability

SUSE: CVE-2024-3094: xz: Embedded Malicious Code

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Mar 29, 2024
Added
Apr 1, 2024
Modified
Apr 2, 2024

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Solution(s)

suse-upgrade-xzsuse-upgrade-xz-develsuse-upgrade-xz-devel-32bitsuse-upgrade-xz-langsuse-upgrade-xz-static-devel
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.