Crucial Security Alert: Red Hat Identifies Critical Vulnerability in the Latest “xz” Compression Tools
In a recent security announcement, Red Hat’s Information Risk and Security and Product Security teams have uncovered a dangerous security flaw in the newest versions of the “xz” compression tools and libraries. This vulnerability has been labeled as critical and could potentially allow unauthorized access to affected systems.
Affecting Fedora Linux 40 and Rawhide Users
Fedora Linux 40 users and those using Fedora Rawhide, the development distribution for future Fedora builds, are at high risk of being impacted by this vulnerability. Red Hat urgently recommends that all users immediately cease using the Rawhide distribution for both work and personal activities until the issue is resolved.
CVE-2024-3094: A Serious Threat
The designated CVE-2024-3094 poses a serious threat to those who have upgraded to the compromised versions of the xz libraries. Red Hat advises all Fedora Rawhide users to downgrade to the safer xz-5.4.x version and is working on reverting Rawhide to this version to ensure the safety of users.
Take Precaution: Downgrade to 5.4 version
While Fedora Linux 40 builds have not been confirmed to be compromised, it is still recommended to downgrade to the 5.4 version as a precautionary measure. An update to revert xz to the 5.4.x version has been released and is currently being distributed to Fedora Linux 40 users through the normal update system. Users can expedite the update by following instructions provided by Red Hat.
Malicious Code Targeting Authentication
The malicious code found in the affected xz versions is obfuscated and targets the authentication process in sshd via systemd. This could potentially allow a malicious actor to bypass sshd authentication and gain unauthorized remote access to the system. The code is only fully present in the download package, with the Git distribution lacking the M4 macro that triggers the malicious code build.
Confined to Fedora Community Ecosystem
Further investigations have revealed that the malicious packages are only present in Fedora 41 and Fedora Rawhide within the Red Hat community ecosystem. No versions of Red Hat Enterprise Linux (RHEL) are affected. However, it has been reported that the injections have also been successfully built in xz 5.6.x versions for Debian unstable (Sid), putting other distributions at risk as well.
Immediate Action Required
Users of affected distributions are strongly advised to stop using Fedora 41 or Fedora Rawhide immediately and consult with their information security teams for further guidance. Red Hat is actively working to address the issue and ensure the security of its users.
