- 102/2024
- Critical
RedHat has warned users to immediately stop using systems running Fedora development and experimental versions because of a vulnerability found in the latest Linux XZ Utils versions 5.6.0 and 5.6.1.
The severity of the addressed vulnerability could allow the remote attacker to gain unauthorized access to the entire affected system remotely, caused by malicious embedded code in the upstream tarballs that contain instructions for building with auto-make that did not exist in the repository.
Linux XZ Utils Unauthorized Access Vulnerability (CVE-2024-3094):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Kindly note that CISA has advised developers and users to downgrade from Linux XZ Utils versions 5.6.0 or 5.6.1 to older versions that do not contain malicious code and to hunt for any suspicious activity on their systems.
Vulnerabilities
CVE-2024-3094
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.