vulnerability
SUSE: CVE-2024-3094: xz: Embedded Malicious Code
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Mar 29, 2024 | Apr 1, 2024 | Apr 2, 2024 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Mar 29, 2024
Added
Apr 1, 2024
Modified
Apr 2, 2024
Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Solution(s)
suse-upgrade-xzsuse-upgrade-xz-develsuse-upgrade-xz-devel-32bitsuse-upgrade-xz-langsuse-upgrade-xz-static-devel

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.